!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/counter_2/   drwxr-xr-x
Free 51 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     counter.php (6.37 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
/* ----------------------------------------------*/
/*  PNG Counter 1.0 (PHP)                        */
/*  Copyright (c)2001 Chi Kien Uong              */
/*  URL: http://www.proxy2.de                    */
/* ----------------------------------------------*/

class png_counter {
    
    var 
$counter;
    var 
$size;
    var 
$digit_path;
    var 
$config;
    
    function 
png_counter() {
        global 
$CFG;
        
$this->config $CFG;
    }
    
    function 
get_digit_size() {
        if (
file_exists("$this->digit_path/1.png")) {
            
$digit_size getimagesize("$this->digit_path/1.png");
            if (
$digit_size[2] != "3") {
                return 
false;
            } else {
                
$this->size[0] = $digit_size[0];
                
$this->size[1] = $digit_size[1];
                return 
$this->size;
            }
        } else {
            return 
false;
        }
    }

    function 
check_referer() {
        global 
$VALID;
        
$is_valid false;
        
$referer getenv("HTTP_REFERER");
        if (empty(
$referer)) {
            return 
false;
        } else {
            for (
$i=0;$i<sizeof($VALID);$i++) {
                if (
eregi("$VALID[$i]",$referer)) {
                    
$is_valid true;
                    break;
                }
            }
            return 
$is_valid;
        }
    }

    function 
is_valid_visit() {
        global 
$HTTP_COOKIE_VARS;
        if (isset(
$HTTP_COOKIE_VARS['counter_png'])) {
            return 
false;
        } else {
            
$expire time()+$this->config['lock_timeout']*60;
            
setcookie("counter_png""1"$expire"/");
            return 
true;
        }
    }
    
    
/*
     * function read_counter_db($page) added by
     * Félix MARTIN RODRIGUEZ <felix_martin-rdguez@hp.com>
     *
     */

    
function read_counter_db($page) {
        
$update false;
        
/* if the db does not exist error and close */
        
$link=mysql_connect($this->config['dbhost'],$this->config['dbuser'],$this->config['dbpasswd']);
        if (! 
$link) {
            
header("Location: error.png");
            exit;
        }

        
mysql_select_db($this->config['dbname'],$link);
        
$sql "SELECT page,count FROM counter WHERE page = '$page'";
        
$result=mysql_query($sql,$link);
        if (! 
$result) {
            
header("Location: error.png");
            
mysql_close($link);
            exit;
        }
 
        if ( 
$row=mysql_fetch_row($result) ) {
            
$this->counter $row[1];   
        } else {
            
/* if page entry does not exist create record    page(txt) count(int) */
            
$this->counter 1;
            
$sql "INSERT INTO counter (page,count) VALUES ('$page',$this->counter)";
            
$result=mysql_query($sql,$link);
            if (! 
$result) { 
                
header("Location: error.png");
                
mysql_close($link);
                exit;
            }
        }
       
        
$update false
        
/* increment only if needed  */
        
if ($this->config['block_ip']) {
            if (
$this->is_valid_visit()) {
                
$this->counter++;
                
$update true;
            }
        } else {
           
$this->counter++;
           
$update true;
        }
        
/* update only if we have incremented */
        
if ( $update ) {    
            
$sql "UPDATE counter SET count=$this->counter WHERE page = '$page'";
            
$result=mysql_query($sql,$link);
            if (! 
$result){
                
header("Location: error.png");
                
mysql_close($link);
                exit;
            }
            
mysql_close($link);
        }
    }

    function 
read_counter_file($page) {
        
$update false;
        if (!
file_exists("./pages/$page.txt")) {
            
$count_dat fopen("./pages/$page.txt","w+");            
            
$this->counter 1;
            
fwrite($count_dat,$this->counter);
            
fclose($count_dat);
        } else {
            
$fp fopen("./pages/$page.txt""r+");
            
flock($fp2);
            
$this->counter fgets($fp4096);
            
flock($fp3);
            
fclose($fp);
            
$update false
            if (
$this->config['block_ip']) {
                if (
$this->is_valid_visit()) {
                    
$this->counter++;
                    
$update true;
                }
            } else {
                
$this->counter++;
                
$update true;
            }
            if (
$update) {    
                
$fp fopen("./pages/$page.txt""r+");
                
flock($fp2);
                
rewind($fp);
                
fwrite($fp$this->counter);
                
flock($fp3);
                
fclose($fp);
            }
        }
        return 
$this->counter;
    }

    function 
create_png($page,$digit) {
        if (
$this->config['referer_check']) {
            if (!
$this->check_referer()) { 
               
header("Location: error.png");
               exit;
           }
        }
        
$this->digit_path "./digits/".$digit;
        if (
$this->get_digit_size()) {
            if (
$this->config['db']) {    
                
$this->read_counter_db($page);
            } else {
                
$this->read_counter_file($page);
            }
            
$position 0;
            
$this->counter sprintf("%0"."".$this->config['pad'].""."d",$this->counter);
            
$counter_length strlen($this->counter);
            
$total_size $this->size[0]*$counter_length;            
            
$dest_img ImageCreate($total_size$this->size[1]);
            for (
$i=0;$i<$counter_length;$i++) {                
               
$digit substr("$this->counter",$i,1);
               eval(
"\$pic".$i."=ImageCreateFromPNG(\"".$this->digit_path."/".$digit.".png\");");
               eval(
"ImageCopy(\$dest_img,\$pic".$i.",".$position.",0,0,0,".$this->size[0].",".$this->size[1].");");
               
$position += $this->size[0];
            }
            
ImagePNG($dest_img);
         } else {
            
header("Location: error.png");
         }
     }       
}

include (
"./config.inc.php");
$page = (!isset($_REQUEST['page'])) ? "count" $_REQUEST['page'];
$digit = (!isset($_REQUEST['digit'])) ? "scoreboard" $_REQUEST['digit'];

$counter = new png_counter();
$counter->create_png($page,$digit);

?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0159 ]--