!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/syslog-ng/   drwxr-xr-x
Free 50.93 GB of 127.8 GB (39.85%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     view_log.cgi (2.92 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# Show a log file

require './syslog-ng-lib.pl';
&ReadParse();
&foreign_require("proc", "proc-lib.pl");

# Work out the file
$conf = &get_config();
if ($in{'dest'}) {
    # From a destination
    @dests = &find("destination", $conf);
    ($dest) = grep { $_->{'value'} eq $in{'dest'} } @dests;
    $dest || &error($text{'destination_egone'});
    $file = &find_value("file", $dest->{'members'});
    }
elsif ($in{'omod'}) {
    # From another module
    @others = &get_other_module_logs($in{'omod'});
    ($other) = grep { $_->{'mindex'} == $in{'oidx'} } @others;
    if ($other->{'file'}) {
        $file = $other->{'file'};
        }
    else {
        $cmd = $other->{'cmd'};
        }
    }

print "Refresh: $config{'refresh'}\r\n"
    if ($config{'refresh'});
&ui_print_header("<tt>".($file || $cmd)."</tt>", $text{'view_title'}, "");

$lines = $in{'lines'} ? int($in{'lines'}) : $config{'lines'};
$filter = $in{'filter'} ? quotemeta($in{'filter'}) : "";

&filter_form();

$| = 1;
print "<pre>";
local $tailcmd = $config{'tail_cmd'} || "tail -n LINES";
$tailcmd =~ s/LINES/$lines/g;
if ($filter ne "") {
    # Are we supposed to filter anything? Then use grep.
    local @cats;
    if ($cmd) {
        push(@cats, $cmd);
        }
    elsif ($config{'compressed'}) {
        # All compressed versions
        foreach $l (&all_log_files($file)) {
            $c = &catter_command($l);
            push(@cats, $c) if ($c);
            }
        }
    else {
        # Just the one log
        @cats = ( "cat ".quotemeta($file) );
        }
    $cat = "(".join(" ; ", @cats).")";
    $got = &foreign_call("proc", "safe_process_exec",
        "$cat | grep -i $filter | $tailcmd",
        0, 0, STDOUT, undef, 1, 0, undef, 1);
    }
else {
    # Not filtering .. so cat the most recent non-empty file
    if ($cmd) {
                # Getting output from a command
                $fullcmd = $cmd." | ".$tailcmd;
        }
    elsif ($config{'compressed'}) {
        # Find the first non-empty file, newest first
        $catter = "cat ".quotemeta($file);
        if (!-s $file) {
            foreach $l (&all_log_files($file)) {
                next if (!-s $l);
                $c = &catter_command($l);
                if ($c) {
                    $catter = $c;
                    last;
                    }
                }
            }
        $fullcmd = $catter." | ".$tailcmd;
        }
    else {
        # Just run tail on the file
        $fullcmd = $tailcmd." ".quotemeta($file);
        }
    $got = &foreign_call("proc", "safe_process_exec",
        $fullcmd, 0, 0, STDOUT, undef, 1, 0, undef, 1);
    }
print "<i>$text{'view_empty'}</i>\n" if (!$got);
print "</pre>\n";
&filter_form();

&ui_print_footer("list_destinations.cgi", $text{'destinations_return'},
         "", $text{'index_return'});

sub filter_form
{
print "<form action=view_log.cgi style='margin-left:1em'>\n";
print &ui_hidden("dest", $in{'dest'}),"\n";
print &ui_hidden("oidx", $in{'oidx'}),"\n";
print &ui_hidden("omod", $in{'omod'}),"\n";

print &text('view_header', &ui_textbox("lines", $lines, 3),
        "<tt>".&html_escape($log->{'file'})."</tt>"),"\n";
print "&nbsp;&nbsp;\n";
print &text('view_filter', &ui_textbox("filter", $in{'filter'}, 25)),"\n";
print "&nbsp;&nbsp;\n";
print "<input type=submit value='$text{'view_refresh'}'></form>\n";
}


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0065 ]--