!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/libexec/webmin/webmin/   drwxr-xr-x
Free 50.94 GB of 127.8 GB (39.86%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     change_session.cgi (4.06 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
#!/usr/bin/perl
# change_session.cgi
# Enable or disable session authentication

require './webmin-lib.pl';
&ReadParse();
&error_setup($text{'session_err'});

&lock_file($ENV{'MINISERV_CONFIG'});
&get_miniserv_config(\%miniserv);
$miniserv{'passdelay'} = $in{'passdelay'};

# Save blocked hosts
if ($in{'blockhost_on'}) {
    $in{'blockhost_time'} =~ /^\d+$/ && $in{'blockhost_time'} > 0 ||
        &error($text{'session_eblockhost_time'});
    $in{'blockhost_failures'} =~ /^\d+$/ && $in{'blockhost_failures'} > 0 ||
        &error($text{'session_eblockhost_failures'});
    $miniserv{'blockhost_time'} = $in{'blockhost_time'};
    $miniserv{'blockhost_failures'} = $in{'blockhost_failures'};
    }
else {
    $miniserv{'blockhost_time'} = $miniserv{'blockhost_failures'} = undef;
    }

# Save blocked users
if ($in{'blockuser_on'}) {
    $in{'blockuser_time'} =~ /^\d+$/ && $in{'blockuser_time'} > 0 ||
        &error($text{'session_eblockuser_time'});
    $in{'blockuser_failures'} =~ /^\d+$/ && $in{'blockuser_failures'} > 0 ||
        &error($text{'session_eblockuser_failures'});
    $miniserv{'blockuser_time'} = $in{'blockuser_time'};
    $miniserv{'blockuser_failures'} = $in{'blockuser_failures'};
    }
else {
    $miniserv{'blockuser_time'} = $miniserv{'blockuser_failures'} = undef;
    }
$miniserv{'blocklock'} = $in{'blocklock'};

$miniserv{'syslog'} = $in{'syslog'};
if ($in{'session'} && $ENV{'HTTP_COOKIE'} !~ /sessiontest=1/i &&
    !$ENV{'HTTP_WEBMIN_SERVERS'}) {
    &error($text{'session_ecookie'});
    }
$miniserv{'session'} = $in{'session'};
if ($in{'logouttime_on'}) {
    $in{'logouttime'} =~ /^\d+$/ && $in{'logouttime'} > 0 ||
        &error($text{'session_elogouttime'});
    }
$miniserv{'logouttime'} = $in{'logouttime_on'} ? $in{'logouttime'} : undef;
if ($in{'localauth'}) {
    $lsof = &has_command("lsof");
    &error($text{'session_elsof'}) if (!$lsof);
    $miniserv{'localauth'} = $lsof;
    }
else {
    delete($miniserv{'localauth'});
    }
$miniserv{'no_pam'} = $in{'no_pam'};
if ($in{'passwd_file'}) {
    $in{'passwd_file'} =~ /\|$/ || -r $in{'passwd_file'} ||
        &error($text{'session_epasswd_file'});
    $in{'passwd_uindex'} =~ /^\d+$/ ||
        &error($text{'session_epasswd_uindex'});
    $in{'passwd_pindex'} =~ /^\d+$/ ||
        &error($text{'session_epasswd_pindex'});
    $miniserv{'passwd_file'} = $in{'passwd_file'};
    $miniserv{'passwd_uindex'} = $in{'passwd_uindex'};
    $miniserv{'passwd_pindex'} = $in{'passwd_pindex'};
    }
else {
    delete($miniserv{'passwd_file'});
    delete($miniserv{'passwd_uindex'});
    delete($miniserv{'passwd_pindex'});
    }
$miniserv{'pam_conv'} = $in{'pam_conv'};
$miniserv{'pam_end'} = $in{'pam_end'};
if ($in{'cmd_def'}) {
    delete($gconfig{'passwd_cmd'});
    }
else {
    $in{'cmd'} =~ /\S/ && &has_command($in{'cmd'}) ||
        &error($text{'session_ecmd'});
    $gconfig{'passwd_cmd'} = $in{'cmd'};
    }
if ($in{'extauth'}) {
    $in{'extauth'} =~ /^(\S+)/ && -x $1 ||
        &error($text{'session_eextauth'});
    $miniserv{'extauth'} = $in{'extauth'};
    }
else {
    delete($miniserv{'extauth'});
    }
if (defined($in{'passwd_mode'})) {
    $miniserv{'passwd_mode'} = $in{'passwd_mode'};
    }
$miniserv{'utmp'} = $in{'utmp'};
&put_miniserv_config(\%miniserv);
&unlock_file($ENV{'MINISERV_CONFIG'});

&lock_file("$config_directory/config");
#$gconfig{'locking'} = $in{'locking'};
$gconfig{'noremember'} = !$in{'remember'};
$gconfig{'realname'} = $in{'realname'};
if ($in{'passwd_file'}) {
    $gconfig{'passwd_file'} = $in{'passwd_file'};
    $gconfig{'passwd_uindex'} = $in{'passwd_uindex'};
    $gconfig{'passwd_pindex'} = $in{'passwd_pindex'};
    }
else {
    delete($gconfig{'passwd_file'});
    delete($gconfig{'passwd_uindex'});
    delete($gconfig{'passwd_pindex'});
    }
if ($in{'banner_def'}) {
    delete($gconfig{'loginbanner'});
    }
else {
    -r $in{'banner'} || &error($text{'session_ebanner'});
    $gconfig{'loginbanner'} = $in{'banner'};
    }
if ($in{'md5pass'}) {
    # MD5 enabled .. but is it supported by this system?
    &foreign_require("acl", "acl-lib.pl");
    $need = &acl::check_md5();
    $need && &error(&text('session_emd5mod', "<tt>$need</tt>"));
    }
$gconfig{'md5pass'} = $in{'md5pass'};
&write_file("$config_directory/config", \%gconfig);
&unlock_file("$config_directory/config");

&show_restart_page();
&webmin_log("session", undef, undef, \%in);


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0175 ]--