!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/tcpwrappers/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     save_rule.cgi (2.21 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# Create, update or delete a rule

require './tcpwrappers-lib.pl';
&ReadParse();
&error_setup($text{'save_errtitle'});
$type = $in{'allow'} ? 'allow' : 'deny';
$file = $config{'hosts_'.$type};
@rules = &list_rules($file);

if (!$in{'new'}) {
    ($rule) = grep { $_->{'id'} == $in{'id'} } @rules;
    $rule || &error($text{'edit_eid'});
}
        
&lock_file($file);
if ($in{'delete'}) {
    # Delete one rule
    &delete_rule($file, $rule);
    goto ALLDONE;
} else {
    # Check input
    &error($text{'save_eservice'}) if ($in{'service_custom'} && $in{'service_custom'} !~ /^[\w\d\s\-\/\.,]+$/);
    &error($text{'save_eservice'}) if ($in{'service_except_custom'} && $in{'service_except_custom'} !~ /^[\w\d\s\-\/\.,]+$/);

    &error($text{'save_ehost'}) if ($in{'host_text_def'} == 0 && $in{'host_text'} !~ /^[\w\d\s\-\/\@\.,]+$/);
    &error($text{'save_ehost'}) if ($in{'host_except'} && $in{'host_except'} !~ /^[\w\d\s\-\/\@\.,]+$/);

    for (my $i = 0; $i <= $in{'cmd_count'}; $i++) {
    &error($text{'save_ecmd'}) if ($in{'cmd_'.$i} && $in{'cmd_'.$i} !~ /^[\w\d\s\-\/\@\%\|\(\)\'\"\&\.,]+$/);
    }
}

# Build rule record
if ($in{'service_custom'}) {
    $service = $in{'service_custom'};
    if ($in{'service_except_custom'}) {
    $service .= " EXCEPT ".$in{'service_except_custom'};
    }
} else {
    # listed from (x)inetd
    $service = join(",", split /\0/, $in{'service'});
    if ($in{'service_except'}) {
    $service .= " EXCEPT ".join(",", split /\0/, $in{'service_except'});
    }
}

$host = $in{'host_text_def'} ? $in{'host_select'} : $in{'host_text'};
if ($in{'host_except'}) {
    $host .= " EXCEPT ".$in{'host_except'};
}

$cmd = '';
for (my $i = 0; $i <= $in{'cmd_count'}; $i++) {
    next unless ($in{'cmd_'.$i});
    $cmd .= $cmd ? " : " : '';
    $cmd .= $in{'cmd_directive_'.$i} ne 'none' ? $in{'cmd_directive_'.$i}.' ' : '';
    $cmd .= $in{'cmd_'.$i};
}

my %newrule = ( 'service' => $service,
        'host' => $host,
        'cmd' => $cmd
        );

# Save to file
if ($in{'new'}) {
    &create_rule($file, \%newrule);
} else {
    &modify_rule($file, $rule, \%newrule);
}

ALLDONE:
&unlock_file($file);
&webmin_log($in{'new'} ? "create" : $in{'delete'} ? "delete" : "modify", "rule", $rule->{'id'});
&redirect("index.cgi?type=$type");


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0139 ]--