!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/squid/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.85%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     edit_acl.cgi (6.78 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# edit_acl.cgi
# Display a list of all ACLs and restrictions using them

require './squid-lib.pl';
&ReadParse();
$access{'actrl'} || &error($text{'eacl_ecannot'});
&ui_print_header(undef, $text{'eacl_header'}, "", "edit_acl", 0, 0, 0, &restart_button());
$conf = &get_config();

# Start tabs for various ACL settings
$prog = "edit_acl.cgi";
@tabs = ( [ "acls", $text{'eacl_acls'}, $prog."?mode=acls" ],
      [ "http", $text{'eacl_pr'}, $prog."?mode=http" ],
      [ "icp", $text{'eacl_icpr'}, $prog."?mode=icp" ] );
if ($squid_version >= 2.5) {
    push(@tabs, [ "external", $text{'eacl_ext'}, $prog."?mode=external" ],
            [ "reply", $text{'eacl_replypr'}, $prog."?mode=reply" ] );
    }
print &ui_tabs_start(\@tabs, "mode", $in{'mode'} || "acls", 1);

# List all defined access control directives
print &ui_tabs_start_tab("mode", "acls");
@acl = &find_config("acl", $conf);
if (@acl) {
    print &ui_columns_start([ $text{'eacl_name'},
                  $text{'eacl_type'},
                  $text{'eacl_match'} ], 100);
    foreach $a (@acl) {
        @v = @{$a->{'values'}};
        local @cols;
        push(@cols, "<a href=\"acl.cgi?index=$a->{'index'}\">".
                &html_escape($v[0])."</a>");
        push(@cols, $acl_types{$v[1]});
        if ($v[2] =~ /^"(.*)"$/ || $v[3] =~ /^"(.*)"$/) {
            push(@cols, &text('eacl_file', "<tt>$1</tt>"));
            }
        else {
            push(@cols, &html_escape(join(' ', @v[2..$#v])));
            }
        print &ui_columns_row(\@cols, [ "", "nowrap", "" ]);
        }
    print &ui_columns_end();
    }
else {
    print "<b>$text{'eacl_noacls'}</b><p>\n";
    }
print "<form action=acl.cgi>\n";
print "<input type=submit value=\"$text{'eacl_buttcreate'}\">\n";
print "<select name=type>\n";
foreach $t (sort { $acl_types{$a} cmp $acl_types{$b} } keys %acl_types) {
    print "<option value=$t>$acl_types{$t}\n";
    }
print "</select></form>\n";
print &ui_tabs_end_tab();

# List all HTTP restrictions, based on ACLs
print &ui_tabs_start_tab("mode", "http");
@http = &find_config("http_access", $conf);
if (@http) {
    @tds = ( "width=5", "width=10%", undef, "width=32" );
    print &ui_form_start("delete_http_accesses.cgi", "post");
    print "<a href=http_access.cgi?new=1>$text{'eacl_addpr'}</a><br>\n";
    print &ui_columns_start([ "",
                  $text{'eacl_act'},
                  $text{'eacl_acls1'},
                  $text{'eacl_move'} ], 100, 0, \@tds);
    $hc = 0;
    foreach $h (@http) {
        @v = @{$h->{'values'}};
        if ($v[0] eq "allow") {
            $v[0] = $text{'eacl_allow'};
            }
        else {
            $v[0] = $text{'eacl_deny'};
            }
        local @cols;
        push(@cols, "<a href=\"http_access.cgi?index=$h->{'index'}\">".
                "$v[0]</a>");
        push(@cols, &html_escape(join(' ', @v[1..$#v])));
        local $mover = &ui_up_down_arrows(
            "move_http.cgi?$hc+-1",
            "move_http.cgi?$hc+1",
            $hc != 0,
            $hc != @http-1
            );
        push(@cols, $mover);
        print &ui_checked_columns_row(\@cols, \@tds, "d",$h->{'index'});
        $hc++;
        }
    print &ui_columns_end();
    print "<a href=http_access.cgi?new=1>$text{'eacl_addpr'}</a><br>\n";
    print &ui_form_end([ [ "delete", $text{'eacl_hdelete'} ] ]);
    }
else {
    print "<b>$text{'eacl_nopr'}</b><p>\n";
    print "<a href=http_access.cgi?new=1>$text{'eacl_addpr'}</a><br>\n";
    }
print &ui_tabs_end_tab();

# List all ICP restrictions, based on ACLs
print &ui_tabs_start_tab("mode", "icp");
@icp = &find_config("icp_access", $conf);
if (@icp) {
    print &ui_form_start("delete_icp_accesses.cgi", "post");
    @tds = ( "width=5", "width=10%", undef, "width=32" );
    print "<a href=icp_access.cgi?new=1>$text{'eacl_addicpr'}</a><br>\n";
    print &ui_columns_start([ "",
                  $text{'eacl_act'},
                  $text{'eacl_acls1'},
                  $text{'eacl_move'} ], 100, 0, \@tds);
    $ic = 0;
    foreach $i (@icp) {
        @v = @{$i->{'values'}};
        if ($v[0] eq "allow") {
            $v[0] = $text{'eacl_allow'};
            }
        else {
            $v[0] = $text{'eacl_deny'};
            }
        local @cols;
        push(@cols, "<a href=\"icp_access.cgi?index=$i->{'index'}\">".
                "$v[0]</a>");
        push(@cols, &html_escape(join(' ', @v[1..$#v])));
        local $mover = &ui_up_down_arrows(
            "move_icp.cgi?$ic+-1",
            "move_icp.cgi?$ic+1",
            $ic != 0,
            $ic != @icp-1);
        push(@cols, $mover);
        print &ui_checked_columns_row(\@cols, \@tds, "d",$i->{'index'});
        $ic++;
        }
    print &ui_columns_end();
    print "<a href=icp_access.cgi?new=1>$text{'eacl_addicpr'}</a><br>\n";
    print &ui_form_end([ [ "delete", $text{'eacl_hdelete'} ] ]);
    }
else {
    print "<b>$text{'eacl_noicpr'}</b><p>\n";
    print "<a href=icp_access.cgi?new=1>$text{'eacl_addicpr'}</a><br>\n";
    }
print &ui_tabs_end_tab();

# List all HTTP REPLY restrictions, based on ACLs
if ($squid_version >= 2.5) {
    print &ui_tabs_start_tab("mode", "reply");
    @http_reply = &find_config("http_reply_access", $conf);
    if (@http_reply) {
        @tds = ( "width=5", "width=10%", undef, "width=32" );
        print &ui_form_start("delete_http_reply_accesses.cgi", "post");
        print "<a href=http_reply_access.cgi?new=1>$text{'eacl_addpr'}</a><br>\n";
        print &ui_columns_start([ "",
                      $text{'eacl_act'},
                      $text{'eacl_acls1'},
                      $text{'eacl_move'} ], 100, 0, \@tds);
        $hc = 0;
        foreach $h (@http_reply) {
            @v = @{$h->{'values'}};
            if ($v[0] eq "allow") {
                $v[0] = $text{'eacl_allow'};
                }
            else {
                $v[0] = $text{'eacl_deny'};
                }
            local @cols;
            push(@cols, "<a href=\"http_reply_access.cgi?index=$h->{'index'}\">".
                    "$v[0]</a>");
            push(@cols, &html_escape(join(' ', @v[1..$#v])));
            local $mover;
            if ($hc != @http_reply-1) {
                $mover .= "<a href=\"move_http_reply.cgi?$hc+1\">".
                      "<img src=images/down.gif border=0></a>";
                }
            else {
                $mover .= "<img src=images/gap.gif>";
                }
            if ($hc != 0) {
                $mover .= "<a href=\"move_http_reply.cgi?$hc+-1\">".
                      "<img src=images/up.gif border=0></a>";
                }
            else {
                $mover .= "<img src=images/gap.gif>";
                }
            push(@cols, $mover);
            print &ui_checked_columns_row(\@cols, \@tds, "d",$h->{'index'});
            $hc++;
            }
        print &ui_columns_end();
        print "<a href=http_reply_access.cgi?new=1>$text{'eacl_addpr'}</a><br>\n";
        print &ui_form_end([ [ "delete", $text{'eacl_hdelete'} ] ]);
        }
    else {
        print "<b>$text{'eacl_noprr'}</b><p>\n";
        print "<a href=http_reply_access.cgi?new=1>$text{'eacl_addprr'}</a><br>\n";
        }
    print &ui_tabs_end_tab();
    }

if ($squid_version >= 2.5) {
    # Show table of external ACL types
    print &ui_tabs_start_tab("mode", "external");
    @ext = &find_config("external_acl_type", $conf);
    if (@ext) {
        print &ui_columns_start([ $text{'eacl_cname'},
                      $text{'eacl_format'},
                      $text{'eacl_program'} ], 100);
        foreach $e (@ext) {
            $ea = &parse_external($e);
            print &ui_columns_row([
                "<a href='edit_ext.cgi?index=$e->{'index'}'>".
                     "$ea->{'name'}</a>",
                $ea->{'format'},
                join(" ", $ea->{'program'}, @{$ea->{'args'}})
                ]);
            }
        print &ui_columns_end();
        }
    else {
        print "<b>$text{'eacl_noext'}</b><p>\n";
        }
    print "<a href=edit_ext.cgi?new=1>$text{'eacl_addext'}</a>\n";
    print &ui_tabs_end_tab();
    }

print &ui_tabs_end(1);

&ui_print_footer("", $text{'eacl_return'});


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.009 ]--