!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/vgetty/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     upload.cgi (1.78 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# upload.cgi
# Convert a WAV file to rmd format

require './vgetty-lib.pl';
&ReadParseMime();
&error_setup($text{'upload_err'});
$in{'wav'} || &error($text{'upload_emessage'});

$temp1 = &transname();
open(TEMP, ">$temp1");
print TEMP $in{'wav'};
close(TEMP);
if (&rmd_file_info($temp1)) {
    # Already in RMD format .. just use
    $rmdfile = $temp1;
    }
else {
    # Convert to PVF format
    $temp2 = &transname();
    $out = &backquote_logged("wavtopvf $temp1 $temp2 2>&1");
    $ec = $?;
    unlink($temp1);
    if ($ec) {
        unlink($temp2);
        &error(&text('upload_ewav', "<pre>$out</pre>"));
        }

    # Convert to RMD format
    @formats = &list_rmd_formats();
    $format = $formats[$in{'format'}];
    $rmdfile = &transname();
    $out = &backquote_logged("pvftormd $format->{'code'} $format->{'bits'} $temp2 $rmdfile 2>&1");
    $ec = $?;
    unlink($temp2);
    if ($ec) {
        unlink($rmdfile);
        &error(&text('upload_epvf', "<pre>$out</pre>"));
        }
    }

# Add to the index
@conf = &get_config();
$dir = &messages_dir(\@conf);
$in{'wav_filename'} =~ s/^.*[\/\\]//;
$in{'wav_filename'} =~ s/\.wav$//i;
if (-r "$dir/$in{'wav_filename'}.rmd") {
    &error(&text('upload_esame', "$in{'wav_filename'}.rmd"));
    }
$index = &messages_index(\@conf);
open(INDEX, $index);
@index = map { chomp; $_ } <INDEX>;
close(INDEX);
if (!@index) {
    $bak = &find_value("backup_message", \@conf);
    push(@index, $bak) if (-r "$dir/$bak");
    }
push(@index, "$in{'wav_filename'}.rmd");
system("mv $rmdfile $dir/$in{'wav_filename'}.rmd");
&open_lock_tempfile(INDEX, ">$index");
&print_tempfile(INDEX, map { "$_\n" } @index);
&close_tempfile(INDEX);
&webmin_log("upload", undef, undef,
        { 'file' => "$in{'wav_filename'}.rmd" });

# Save the format type
$config{'format'} = $in{'format'};
&write_file("$module_config_directory/config", \%config);
&redirect("list_messages.cgi");


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0061 ]--