!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/alumni/   drwxrwxrwx
Free 51.24 GB of 127.8 GB (40.09%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     admin.php (9.83 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php

/********************************************************************************
    - MemHT Portal -
    
    Copyright (C) 2007-2008 by Miltenovik Manojlo
    http://www.memht.com
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your opinion) any later version.
    
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License along
    with this program; if not, see <http://www.gnu.org/licenses/> (GPLv2)
    or write to the Free Software Foundation, Inc., 51 Franklin Street,
    Fifth Floor, Boston, MA02110-1301, USA.
        
********************************************************************************/

//===========================================
//Script time execution
//===========================================
$mtime microtime();
$mtime explode(" ",$mtime);
$starttime $mtime[1] + $mtime[0];

//===========================================
//Script compression
//===========================================
if (@extension_loaded('zlib')) {
    @
ini_set('zlib.output_compression_level'6);
    @
ob_start('ob_gzhandler');
}

//===========================================
//Check if the site is installed
//===========================================
if (!file_exists("inc/inc_config.php")) {
    if (
file_exists("install/install.php")) {
        
header("Location: install/install.php");
    } else {
        die(
"<table style='padding: 2px; border: 1px solid #999; background-color: #EEE; font-family: Verdana; font-size: 10px;' align='center'><tr><td><b>Attention:</b> The configuration file is missing and a new installation cannot be started because the install file cannot be located</td></tr></table>");
    }
} else if (
file_exists("install/install.php")) {
    die(
"<table style='padding: 2px; border: 1px solid #999; background-color: #EEE; font-family: Verdana; font-size: 10px;' align='center'><tr><td><b>Attention:</b> Delete the installation folder and files!</td></tr></table>");
}

//===========================================
//Database: Connect
//===========================================
require_once("inc/inc_config.php");
require_once(
"inc/inc_database.php");

$dblink = new database();
$dblink->connect();

//Database empty?
if ($dblink->get_num_noerr("SELECT nome FROM memht_config")==0) {
    die(
"<table style='padding: 2px; border: 1px solid #999; background-color: #EEE; font-family: Verdana; font-size: 10px;' align='center'><tr><td><b>Attention:</b> Cannot find database tables!</td></tr></table>");
}

//===========================================
//Timezone setting
//===========================================
$timezonerow $dblink->get_row("SELECT timezone FROM memht_config");
$siteConfig['timezone'] = intval($timezonerow['timezone']);
$tzNOW "DATE_ADD(NOW(),INTERVAL ".$siteConfig['timezone']." HOUR)";

//===========================================
//Includes
//===========================================
require_once("inc/inc_login.php");
require_once(
"inc/inc_functions.php");
require_once(
"inc/inc_bbcode.php");
require_once(
"inc/inc_readConfig.php");
require_once(
"inc/inc_getinfo.php");
require_once(
"inc/inc_ban.php");
//-------------------------------------------
require_once("inc/inc_banners.php");
require_once(
"admin/inc/inc_tpl.php");

//===========================================
//Language selection
//===========================================
if (file_exists("lang/".$siteConfig['language'].".php")) {
    include_once(
"lang/".$siteConfig['language'].".php");
} else {
    include_once(
"lang/".$siteConfig['default_language'].".php");
}
    
global 
$userid,$userInfo;

if (
isAuth($userid,2)) {
    
error_reporting(E_ALL);
    
    
$admin $userInfo['user'];
    
$email $userInfo['email'];
    
    if (isset(
$_GET['page'])) {
        
$page inCode($_GET['page']);
                
        if (
checkCode($page)) {
            
//Main Begin
            
if (file_exists("admin/pages/$page/index.php")) {
                if (
file_exists("admin/pages/$page/lang/".$siteConfig['language'].".php")) {
                    include_once(
"admin/pages/$page/lang/".$siteConfig['language'].".php");
                } else if (
file_exists("admin/pages/$page/lang/".$siteConfig['default_language'].".php")) {
                    include_once(
"admin/pages/$page/lang/".$siteConfig['default_language'].".php");
                }
                if (
$userInfo['rank']>OR $dblink->get_num("SELECT page FROM memht_privs WHERE userid=$userid AND page='$page'")>0) {
                    
define("_LOAD_PAGE_",1);
                    include(
"admin/pages/$page/index.php");
                } else {
                    
//Access denied......
                    
require_once("admin/inc/inc_header.php");
                    
admin_page_title("");
                    
openTable();
                    echo 
"<div align='center' id='errorText'><b>"._ACCESSDENIED_."</b></div>";
                    
closeTable();
                    require_once(
"admin/inc/inc_footer.php");
                }
                echo 
"</div>";
            } else {
                require_once(
"admin/inc/inc_header.php");
                    
admin_page_title("");
                    
openTable();
                    echo 
"<div align='center' id='errorText'><b>"._PAGE_NOEXIST_."</b></div>";
                    
closeTable();
                require_once(
"admin/inc/inc_footer.php");
            }
            
//Main End
        
} else {
            require_once(
"admin/inc/inc_header.php");
                
admin_page_title("");
                
openTable();
                    echo 
"<div align='center' id='errorText'><b>"._SYNTAX_ERROR_."</b></div>";
                
closeTable();
            require_once(
"admin/inc/inc_footer.php");
        }
    } else {
        require_once(
"admin/inc/inc_header.php");
            
define("_LOAD_PAGE_",1);
            include_once(
"admin/inc/inc_newevents.php");
            include_once(
"admin/inc/inc_info.php");
        require_once(
"admin/inc/inc_footer.php");
    }
} else {
    
error_reporting(0);
    
    echo 
"<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>\n";
    echo 
"<html xmlns='http://www.w3.org/1999/xhtml'>\n";
    echo 
"<head>\n";
    echo 
"<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />\n";
    echo 
"<title>".$siteConfig['site_name']." - Admin</title>\n";
    
//Tooltips
    
?>
    <style type='text/css'>
        body {
            padding: 0;
            margin: 0;
        }
        body td { font-size:12px; color:#777; }
        .foot {
            padding-top: 4px;
            text-align:center;
            font-size:10px;
            color:#999;
        }
        .foot a,
        .foot a:visited { color: #999; }
        .foot a:hover { color:#900; }
        .adminbox {
            margin:0 auto;
            width:350px;
            padding:4px;
            background-color:#FFF;
            border:1px solid #DDD;
        }
        .adminbox_title {
            margin:0 auto;
            width:350px;
            padding:4px;
            font-size:14px;
            font-weight:bold;
            color:#AAA;
            background:url(images/admin/title.gif) repeat-x #FFF;
            text-align:center;
            border-left:1px solid #DDD;
            border-top:1px solid #DDD;
            border-right:1px solid #DDD;
        }
        .adminbox_error {
            margin:0 auto;
            width:350px;
            padding:10px 4px;
            background-color:#FFF;
            text-align:center;
            border:1px solid #DDD;
        }
        .intxt {
            border:1px solid #99CF0E;
            color:#777;
            font-size:16px;
        }
        .intxt:hover { border:1px solid #FFD110; }
        .button {
            background:url(images/admin/login.gif) no-repeat;
            width:58px;
            height:23px;
            border:0;
        }
        .button:hover {
            background:url(images/admin/login.gif) 0 -23px no-repeat;
            width:58px;
            height:23px;
            border:0;
        }
    </style>
    <?php
    
echo "<style type='text/css'>\n";
    echo 
"body { font-size: 12px; }\n";
    echo 
"</style>\n";
    echo 
"</head>\n";
    echo 
"<body>\n";
    
    
//
    
?>
    <link rel="stylesheet" href="admin/inc/inc_tpl.css" type='text/css'>
    <div class="tpl_admin_head_1"><img src="admin/images/tpl/tpl_head_logo.png" border="0" alt="MemHT Portal"></div>
    <div class="tpl_admin_head_2" style="margin-bottom:20px;"></div>
    <?php
    
//

    
if ($dblink->get_num("SELECT * FROM memht_login_flood WHERE ip='".$visitorInfo['ip']."' AND attempts>=5")==0) {
        echo 
"<form name='admin01' method='post' action='admin.php'>\n";
            echo 
"<div class='adminbox_title'>"._ADMINISTRATION_."</div>\n";
            echo 
"<div class='adminbox'>\n";
                echo 
"<table cellpadding='6' cellspacing='0' border='0' align='center'>\n";
                    echo 
"<tr>";
                        echo 
"<td rowspan='3' valign='top'><img src='images/admin/access.gif' alt='Access' style='margin-right:15px;'></td>";
                        echo 
"<td>"._USERNAME_."<br><input type='text' name='post_username' class='intxt'></td>";
                    echo 
"</tr>";
                    echo 
"<tr>";
                        echo 
"<td>"._PASSWORD_."<br><input type='password' name='post_password' class='intxt'></td>";
                    echo 
"</tr>";
                    echo 
"<tr>";
                        echo 
"<td><input type='submit' name='Submit' value='' class='button'></td>";
                    echo 
"</tr>";
                echo 
"</table>\n";
            echo 
"</div>";
            echo 
"<div style='text-align:center;'><a href='".$siteConfig['site_url']."' style='color:#AAA;'>"._BACKTOTHESITE_."</a></div>";
            echo 
"<input type='hidden' name='login' value='true'>";
            echo 
"</form>\n";
            @
session_start();
            
$_SESSION['redirect_url'] = "admin.php";
            
$_SESSION['redirect_age'] = time();
        } else {
            echo 
"<div class='adminbox_title'>"._ADMINISTRATION_."</div>\n";
            echo 
"<div class='adminbox_error'><img src='images/admin/wait.gif' alt='Wait' style='margin-bottom:10px;'><br>"._YOUMUSTWAITTOLOGINAGAIN_."</div>\n";
        }    
    echo 
"</body>\n";
    echo 
"</html>\n";    
}
    
if (
$siteConfig['usecronjobs']==0) {
    
//===========================================
    //Maintenance
    //===========================================
    
$maintenance = new Maintenance();
    
$maintenance->All();
    
    
//===========================================
    //Newsletter
    //===========================================
    
sendNewsletter();
}

//===========================================
//Database: Disconnect
//===========================================
$dblink->disconnect();

?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0143 ]--