!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/alumni/   drwxrwxrwx
Free 51.24 GB of 127.8 GB (40.09%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     cron.php (19.31 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php

/********************************************************************************
    - MemHT Portal -
    
    Copyright (C) 2007-2008 by Miltenovik Manojlo
    http://www.memht.com
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your opinion) any later version.
    
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License along
    with this program; if not, see <http://www.gnu.org/licenses/> (GPLv2)
    or write to the Free Software Foundation, Inc., 51 Franklin Street,
    Fifth Floor, Boston, MA02110-1301, USA.
        
********************************************************************************/

//===========================================
//Do not show errors
//===========================================
error_reporting(E_ALL);

//===========================================
//Database: Connect
//===========================================
require_once("inc/inc_config.php");
require_once(
"inc/inc_database.php");

$dblink = new database();
$dblink->connect();

//===========================================
//Timezone setting
//===========================================
$timezonerow $dblink->get_row("SELECT timezone FROM memht_config");
$siteConfig['timezone'] = intval($timezonerow['timezone']);
$tzNOW "DATE_ADD(NOW(),INTERVAL ".$siteConfig['timezone']." HOUR)";

require_once(
"inc/inc_login.php");

//Check if the visitor is logged as user
function isUser($userid,$force=0) {
    global 
$dblink,$privs;
    
    if (
memRunHooks('IsUser',array($userid,$force,&$privs))) {
        if (isset(
$_COOKIE['login_user'])) {
            
$cookiecontent $_COOKIE['login_user'];
            
$cookieitem explode("#",$cookiecontent);
            
            if (
$privs['user']) {
                
$pcookieitem explode("#",$privs['user']);
                if (
$cookieitem[0]==$pcookieitem[0] AND $cookieitem[1]==$pcookieitem[1] AND $cookieitem[2]==$pcookieitem[2]) {
                    return 
true;
                } else {
                    
$privs['user'] = false;
                    return 
false//Error? Hack?
                
}
            } else if (
$force==1) {
                
//Database Account Control
                
if ($dblink->get_num("SELECT id FROM memht_utenti WHERE id=$userid AND pass='".inCode($cookieitem[2])."' LIMIT 1")>0) {
                    
$privs['user'] = $cookiecontent;
                    return 
true//Account Correct
                
} else {
                    
$privs['user'] = false;
                    return 
false//Error? Hack?
                
}
            } else {
                return 
false;
            }
        } else {
            return 
false//Not Logged
        
}
        return 
false;
    }
}

//Data input function (from user)
function inCode($string) {
    if (
get_magic_quotes_gpc()) { $string stripslashes($string); }
    
$string str_replace('<br type="_moz" />','',$string); //FCKeditor 2.5.1 bug fix
    
if ($string=="<br />") { $string ""; } //FCKeditor 2.5.1 bug fix
    
$string htmlentities($string,ENT_QUOTES);
    return 
mysql_real_escape_string($string);
}

//Data output function (from database)
function outCode($string,$html=1) {
    global 
$langdata;
    
    
$string = ($html==1) ? unhtmlentities($string) :  stripslashes($string) ;
    
$string str_replace('\"','"',$string);
    
$string str_replace("\'","'",$string);
    return 
str_replace("&amp;","&",$string);
}

function 
unhtmlentities($string,$html=1) {
    
$trans_tbl1 get_html_translation_table(HTML_ENTITIES);
    foreach (
$trans_tbl1 as $ascii => $htmlentitie) {
        
$trans_tbl2[$ascii] = '&#'.ord($ascii).';';
    }
        
    
$trans_tbl1 array_flip($trans_tbl1);
    
$trans_tbl2 array_flip($trans_tbl2);
    
    
$tagstostrtip = array('iframe','script','style');
    
$string strtr(strtr($string,$trans_tbl1),$trans_tbl2);
    if (
$html==1) { $string strip_selected_tags($string,$tagstostrtip); }
    return 
$string;
}

function 
strip_selected_tags($text$tags = array()) {
    
$args func_get_args();
    
$text array_shift($args);
    
$tags func_num_args() > array_diff($args,array($text)) : (array)$tags;
    foreach (
$tags as $tag){
        if(
preg_match_all('/<'.$tag.'[^>]*>([^<]*)<\/'.$tag.'>/iu',$text,$found) ){
            
$text str_replace($found[0],$found[1],$text);
        }
    }
    return @
$text;
}

//===========================================
//Includes
//===========================================
require_once("inc/inc_readConfig.php");

//Use cronjobs
if ($siteConfig['usecronjobs']==1) {
    
    
//===========================================
    //Maintenance
    //===========================================
    
class Maintenance {
        
//Override timings, forcing the execution
        
var $forcedexec false;
    
        
//Call all class functions
        
function All() {
            global 
$dblink,$siteConfig,$tzNOW;
            
            if (
$dblink->get_num("SELECT last FROM memht_maintenance")==0) { $dblink->query("INSERT INTO memht_maintenance (last) VALUES ('2000-01-01 00:00:00')"); }
            if (
$this->forcedexec OR $dblink->get_num("SELECT last FROM memht_maintenance WHERE (last + INTERVAL ".$siteConfig['maintenance']." MINUTE) < $tzNOW")>0) {
                
$dblink->query("UPDATE memht_maintenance SET last=$tzNOW");
                
                if (
memRunHooks('Maintenance',array($this->forcedexec))) {
                    
$this->CleanBanned();
                    
$this->MessageBoxFlood();
                    
$this->OldWaitingUsers();
                    
$this->OldPrivateMessages();
                    
$this->OldLoginAttempts();
                    
$this->GroupMembers();
                    
$this->ResetMediumLoadTime();
                    
$this->DeleteOldLiveData();
                    
$this->DeleteOldAdminData();
                    
$this->DeleteRssCache();
                    
$this->RssAggregator();
                    
$this->CleanStatistics();
                    
                    
memRunHooks('MaintenanceEnd',array($this->forcedexec));
                }
            }
        }
        
        
//Clean the database from extinguished temporary ban's
        
function CleanBanned() {
            global 
$dblink,$tzNOW;
            
            
$dblink->query("DELETE FROM memht_banned WHERE date < $tzNOW AND permanent=0");
        }
        
        
//Clean messagemox flood data
        
function MessageBoxFlood() {
            global 
$dblink,$siteConfig,$tzNOW;
            
            
$dblink->query("DELETE FROM memht_messagebox_flood WHERE (time + INTERVAL ".$siteConfig['maintenance_mesboxflood']." MINUTE) < $tzNOW");
        }
        
        
//Clean old pending user registrations
        
function OldWaitingUsers() {
            global 
$dblink,$siteConfig,$tzNOW;    
            
            
$dblink->query("DELETE FROM memht_utenti_attesa WHERE activated=0 AND (data + INTERVAL ".$siteConfig['maintenance_waitusers']." HOUR) < $tzNOW");
            
$dblink->query("DELETE FROM memht_utenti_attesa WHERE activated=1 AND (data + INTERVAL 3 MONTH) < $tzNOW");
        }
        
        
//Clean old private messages
        
function OldPrivateMessages() {
            global 
$dblink,$siteConfig,$tzNOW;
            
            
$dblink->query("DELETE FROM memht_pvtmsg WHERE (date + INTERVAL ".$siteConfig['maintenance_oldpm']." DAY) < $tzNOW");
        }
        
        
//Clean old login attempts
        
function OldLoginAttempts() {
            global 
$dblink,$siteConfig,$tzNOW;
            
            
$dblink->query("DELETE FROM memht_login_flood WHERE (time + INTERVAL ".$siteConfig['maintenance_failedlogin']." MINUTE) < $tzNOW");
        }
        
        
//Clean expired group members
        
function GroupMembers() {
            global 
$dblink,$siteConfig,$tzNOW;
            
            
$dblink->query("UPDATE memht_groups_members SET standby=1 WHERE permanent=0 AND standby=0 AND expire < $tzNOW");
            
$dblink->query("DELETE FROM memht_groups_members WHERE permanent=0 AND standby=1 AND (expire + INTERVAL ".$siteConfig['maintenance_standbygroup']." DAY) < $tzNOW");
        }
        
        function 
DeleteOldLiveData() {
            global 
$dblink,$siteConfig,$tzNOW;
            
            
$dblink->query("DELETE FROM memht_statistics_livedata WHERE (date + INTERVAL 12 HOUR) < $tzNOW");
        }
        
        function 
DeleteOldAdminData() {
            global 
$dblink,$siteConfig,$tzNOW;
            
            
$dblink->query("DELETE FROM memht_statistics_administration WHERE (date + INTERVAL 7 DAY) < $tzNOW");
        }
        
        
//Reset medium load time
        
function ResetMediumLoadTime() {
            global 
$dblink,$siteConfig,$tzNOW;
            
            
$dblink->query("DELETE FROM memht_statistics_loadtime WHERE (started + INTERVAL ".$siteConfig['maintenance_loadtime']." HOUR) < $tzNOW");
        }
        
        
//Delete RSS chache
        
function DeleteRssCache() {
            global 
$dblink;
            
            if (@
count(@glob("inc/magpie/cache/*"GLOB_BRACE))>20) {
                
$limit 0;
                
$over 0;
                
$handle = @opendir('inc/magpie/cache/');
                while (
false !== ($file = @readdir($handle))) {
                    if (
$limit>20 OR $over>20) { break; }
                    if (
$file != "." AND $file != "..") {
                        @
unlink("inc/magpie/cache/$file");
                        
$limit++;
                    }
                    
$over++;
                }
                @
closedir($handle);
            }
        }
        
        
//Rss Aggregator
        
function RssAggregator() {
            global 
$dblink,$tzNOW;
            
            if (
$dblink->get_num("SELECT id FROM memht_aggregator WHERE enabled=1")>0) {
                if (
$dblink->get_num("SELECT maintenance_aggregator FROM memht_maintenance WHERE (maintenance_aggregator + INTERVAL 1 HOUR) < $tzNOW")>0) {
                    
$dblink->query("UPDATE memht_maintenance SET maintenance_aggregator=$tzNOW");
                    
$result $dblink->get_list("SELECT * FROM memht_aggregator");
                    foreach (
$result as $row) {
                        
$whr intval($row['whr']);
                        
$argument intval($row['argument']);
                        
$author outCode($row['author']);
                        
$rssurl outCode($row['rssurl']);
                        
$numfeeds intval($row['numfeeds']);
                        if (!
defined('MAGPIE_CACHE_DIR')) { define('MAGPIE_CACHE_DIR','inc/magpie/cache'); }
                        require_once(
"inc/magpie/rss_fetch.inc");
                        if (
$rss = @fetch_rss($rssurl)) {
                            
$channel inCode($rss->channel['title']);
                            
$items array_reverse($rss->items);
                            
$lim 0;
                            foreach (
$items as $item) {
                                if (
$lim>=$numfeeds) { break; }
                                
$link inCode(@$item['link']);
                                
$title inCode(@$item['title']);
                                
$description inCode(@$item['description']);
                                
$encoded inCode(@$item['content']['encoded']);
                                if (
strlen($link)>AND strlen($title)>AND strlen($description)>10) {
                                    
$more "Source: <a href=\"$link\" target=\"_blank\" title=\"$channel\"><i>$channel</i></a>";
                                    if (
$author=="") { $author $channel; }
                                    
//1 = Articles, 2 = Guide, 3 = News
                                    
switch ($whr) {
                                        case 
1:
                                            if (
$encoded!="") {
                                                
$desc $description;
                                                
$description $encoded;                                        
                                            } else {
                                                
$desc "";
                                            }
                                            
$rssquery "INSERT INTO memht_articoli (id,argomento,nome,descrizione,testo,autore,data,enabled) VALUES ";
                                            
$rssquery .= "(null,'$argument','$title','$desc','$description<br><br>$more','$author',$tzNOW,'1')";
                                            
$checkquery "SELECT id FROM memht_articoli WHERE nome='$title'";
                                        break;
                                        case 
2:
                                            if (
$encoded!="") {
                                                
$desc $description;
                                                
$description $encoded;                                        
                                            } else {
                                                
$desc "";
                                            }
                                            
$rssquery "INSERT INTO memht_guide (id,argomento,nome,descrizione,testo,autore,data,enabled) VALUES ";
                                            
$rssquery .= "(null,'$argument','$title','$desc','$description<br><br>$more','$author',$tzNOW,'1')";
                                            
$checkquery "SELECT id FROM memht_guide WHERE nome='$title'";
                                        break;
                                        case 
3:
                                            if (
$encoded=="") {
                                                
$rssquery "INSERT INTO memht_news (id,argomento,nome,testo_home,testo,autore,data,enabled) VALUES ";
                                                
$rssquery .= "(null,'$argument','$title','$description','$more','$author',$tzNOW,'1')";
                                            } else {
                                                
$encoded .= "<br><br>$more";
                                                
$rssquery "INSERT INTO memht_news (id,argomento,nome,testo_home,testo,autore,data,enabled) VALUES ";
                                                
$rssquery .= "(null,'$argument','$title','$description','$encoded','$author',$tzNOW,'1')";
                                            }
                                            
$checkquery "SELECT id FROM memht_news WHERE nome='$title'";
                                        break;
                                    }
                                    if (
$dblink->get_num($checkquery)==0) { $dblink->query($rssquery); $lim++; }
                                }
                            }
                        }
                    }
                }
            }
        }
        
        
//Clean statistics data
        //Added in 3.8.0
        
function CleanStatistics() {
            global 
$dblink,$tzNOW;
            
            
//memht_statistics_browsers
            
$row $dblink->get_row("SELECT ROUND(MAX(hits)*0.005) AS min FROM memht_statistics_browsers WHERE (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_browsers WHERE hits < ".intval($row['min'])." AND (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_browsers WHERE hits < 5 AND (day + INTERVAL 1 WEEK) < $tzNOW");
            
            
//memht_statistics_domains
            
$row $dblink->get_row("SELECT ROUND(MAX(hits)*0.005) AS min FROM memht_statistics_domains WHERE (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_domains WHERE hits < ".intval($row['min'])." AND (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_domains WHERE hits < 5 AND (day + INTERVAL 1 WEEK) < $tzNOW");
            
            
//memht_statistics_os
            
$row $dblink->get_row("SELECT ROUND(MAX(hits)*0.005) AS min FROM memht_statistics_os WHERE (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_os WHERE hits < ".intval($row['min'])." AND (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_os WHERE hits < 5 AND (day + INTERVAL 1 WEEK) < $tzNOW");
            
            
//memht_statistics_pages
            
$row $dblink->get_row("SELECT ROUND(MAX(hits)*0.005) AS min FROM memht_statistics_pages WHERE (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_pages WHERE hits < ".intval($row['min'])." AND (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_pages WHERE hits < 5 AND (day + INTERVAL 1 WEEK) < $tzNOW");
            
            
//memht_statistics_screenres
            
$row $dblink->get_row("SELECT ROUND(MAX(hits)*0.005) AS min FROM memht_statistics_screenres WHERE (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_screenres WHERE hits < ".intval($row['min'])." AND (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_screenres WHERE hits < 5 AND (day + INTERVAL 1 WEEK) < $tzNOW");
            
            
//memht_statistics_searchengines
            
$row $dblink->get_row("SELECT ROUND(MAX(hits)*0.005) AS min FROM memht_statistics_searchengines WHERE (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_searchengines WHERE hits < ".intval($row['min'])." AND (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_searchengines WHERE hits < 5 AND (day + INTERVAL 1 WEEK) < $tzNOW");
            
            
//memht_statistics_searchkeywords
            
$row $dblink->get_row("SELECT ROUND(MAX(hits)*0.005) AS min FROM memht_statistics_searchkeywords WHERE (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_searchkeywords WHERE hits < ".intval($row['min'])." AND (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_searchkeywords WHERE hits < 5 AND (day + INTERVAL 1 WEEK) < $tzNOW");
            
            
//memht_statistics_users
            
$row $dblink->get_row("SELECT ROUND(MAX(hits)*0.005) AS min FROM memht_statistics_users WHERE (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_users WHERE hits < ".intval($row['min'])." AND (day + INTERVAL 1 MONTH) < $tzNOW");
            
$dblink->query("DELETE FROM memht_statistics_users WHERE hits < 5 AND (day + INTERVAL 1 WEEK) < $tzNOW");
            
            
//memht_statistics_spiders
            
$dblink->query("DELETE FROM memht_statistics_spiders WHERE (lastvisit + INTERVAL 1 WEEK) < $tzNOW");
        }
    }
    
    
//Rewritten in 4.0.5
    
function sendNewsletter() {
        global 
$dblink,$siteConfig,$tzNOW;
        
        if (
memRunHooks('SendNewsletter')) {
            if (
$srow $dblink->get_row("SELECT * FROM memht_newsletter_status")) {
                
//Unfinished newsletter session
                
$crow $dblink->get_row("SELECT * FROM memht_newsletter_config");
                
$aut_mailpause intval($crow['aut_mailpause']);
                
                if (
$dblink->get_num("SELECT date FROM memht_newsletter_status WHERE (date + INTERVAL $aut_mailpause MINUTE) < $tzNOW")>0) {
                    
//Check busy status
                    
$proceed true;
                    if (
$dblink->get_num("SELECT busy FROM memht_newsletter_busy WHERE busy=0")==0) {
                        
//Busy
                        
$proceed false;
                        if (
$dblink->get_num("SELECT busy FROM memht_newsletter_busy WHERE busy=1 AND (date + INTERVAL 5 MINUTE) < $tzNOW")>0) {
                            
//Stuck > Reset
                            
$dblink->query("TRUNCATE memht_newsletter_busy");
                            
$dblink->query("INSERT INTO memht_newsletter_busy (busy,date) VALUES (0,$tzNOW)");
                            
$dblink->query("UPDATE memht_newsletter_status SET date=$tzNOW");
                        }
                    }
                    
                    if (
$proceed) {
                        
//Set busy
                        
$dblink->query("UPDATE memht_newsletter_busy SET busy=1,date=$tzNOW");
                        
                        
//Config
                        
$sender_mail outCode($crow['email_mittente']);
                        
$mailorsmtp intval($crow['mailorsmtp']);
                        
$smtp outCode($crow['smtp']);
                        
$useauth intval($crow['useauth']);
                        
$smtpuser outCode($crow['smtpuser']);
                        
$smtppass outCode($crow['smtppass']);
                        
$aut_mailpersession intval($crow['aut_mailpersession']);
                        
                        
//Status
                        
$title outCode($srow['title']);
                        
$content outCode($srow['content']);
                        
$emails intval($srow['emails']);
                        
                        require_once(
"inc/class/class.phpmailer.php");
                        
$mail = new PHPMailer();
                        
$mail->From $sender_mail;
                        
$mail->FromName $siteConfig['site_name'];
                        
$mail->Subject $title;
                        if (
$mailorsmtp==1) {
                            
//Smtp
                            
$mail->Host $smtp;
                            
$mail->Mailer "smtp";
                            if (
$useauth) {
                                
$mail->SMTPAuth true;
                                
$mail->Username $smtpuser;
                                
$mail->Password $smtppass;
                            }
                        } else {
                            
//Mail
                            
$mail->Mailer "mail";
                        }
                        
$mail->IsHTML(true);
                        
$mail->Body $content;
                        
                        if (
$result $dblink->get_list("SELECT id,email FROM memht_newsletter WHERE sent=0 ORDER BY id LIMIT $aut_mailpersession")) {
                            
$count 0;
                            foreach (
$result as $row) {
                                
$id intval($row['id']);
                                
$email outCode($row['email']);
                                
                                
$dblink->query("UPDATE memht_newsletter SET sent=1,date=$tzNOW WHERE id=$id");
                                
                                
$mail->AddAddress($email);
                                
$mail->Send();
                                
$mail->ClearAddresses();
                                
$count++;
                            }
                            
                            
//Update status
                            
$dblink->query("UPDATE memht_newsletter_status SET date=$tzNOW,emails=emails+$count");
                        } else {
                            
//No more emails
                            
$dblink->query("TRUNCATE memht_newsletter_status");
                            
$dblink->query("INSERT INTO memht_newsletter_sent (title,content,date,numemails) VALUES ('".inCode($title)."','".inCode($content)."',$tzNOW,$emails)");
                        }
                    
                        
//Finished
                        
$dblink->query("UPDATE memht_newsletter_busy SET busy=0,date=$tzNOW");
                    }
                }
            }
            
            
memRunHooks('SendNewsletterEnd');
        }
    }
    
    
//===========================================
    //Maintenance
    //===========================================
    
$maintenance = new Maintenance();
    
$maintenance->forcedexec true;
    
$maintenance->All();
    
    
//===========================================
    //Newsletter
    //===========================================
    
sendNewsletter();    
} else {
    echo 
"Cronjobs disabled";
}

//===========================================
//Database: Disconnect
//===========================================
$dblink->disconnect();

?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0171 ]--