!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/phpMyAdmin/   drwxrwxrwx
Free 51.23 GB of 127.8 GB (40.08%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     tbl_row_action.php (4.55 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
/* $Id: tbl_row_action.php,v 2.21 2005/11/26 06:59:49 cybot_tm Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:
require_once('./libraries/common.lib.php');
require_once(
'./libraries/mysql_charsets.lib.php');

/**
 * Avoids undefined variables
 */
if (!isset($pos)) {
    
$pos 0;
}

/**
 * No rows were selected => show again the query and tell that user.
 */
if ((!isset($rows_to_delete) || !is_array($rows_to_delete)) && !isset($mult_btn)) {
    
$disp_message $strNoRowsSelected;
    
$disp_query '';
    require(
'./sql.php');
    require_once(
'./libraries/footer.inc.php');
}

/**
 * Drop multiple rows if required
 */

// workaround for IE problem:
if (isset($submit_mult_delete_x)) {
    
$submit_mult 'row_delete';
} elseif (isset(
$submit_mult_change_x)) {
    
$submit_mult 'row_edit';
} elseif (isset(
$submit_mult_export_x)) {
    
$submit_mult 'row_export';
}

// garvin: If the 'Ask for confirmation' button was pressed, this can only come from 'delete' mode,
// so we set it straight away.
if (isset($mult_btn)) {
    
$submit_mult 'row_delete';
}

switch(
$submit_mult) {
    case 
'row_delete':
    case 
'row_edit':
    case 
'row_export':
        
// leave as is
        
break;

    case 
$GLOBALS['strExport']:
        
$submit_mult 'row_export';
        break;

    case 
$GLOBALS['strDelete']:
    case 
$GLOBALS['strKill']:
        
$submit_mult 'row_delete';
        break;

    default:
    case 
$GLOBALS['strEdit']:
        
$submit_mult 'row_edit';
        break;
}

if (
$submit_mult == 'row_edit') {
    
$js_to_run 'tbl_change.js';
}

if (
$submit_mult == 'row_delete' || $submit_mult == 'row_export') {
    
$js_to_run 'functions.js';
}

require_once(
'./libraries/header.inc.php');

if (!empty(
$submit_mult)) {
    switch(
$submit_mult) {
        case 
'row_edit':
            
$primary_key = array();
            
// garvin: As we got the fields to be edited from the 'rows_to_delete' checkbox, we use the index of it as the
            // indicating primary key. Then we built the array which is used for the tbl_change.php script.
            
foreach ($rows_to_delete AS $i_primary_key => $del_query) {
                
$primary_key[] = urldecode($i_primary_key);
            }
            
            
$active_page 'tbl_change.php';
            include 
'./tbl_change.php';
            break;

        case 
'row_export':
            
// Needed to allow SQL export
            
$single_table TRUE;

            
$primary_key = array();
            
$sql_query urldecode($sql_query);
            
// garvin: As we got the fields to be edited from the 'rows_to_delete' checkbox, we use the index of it as the
            // indicating primary key. Then we built the array which is used for the tbl_change.php script.
            
foreach ($rows_to_delete AS $i_primary_key => $del_query) {
                
$primary_key[] = urldecode($i_primary_key);
            }

            
$active_page 'tbl_properties_export.php';
            include 
'./tbl_properties_export.php';
            break;

        case 
'row_delete':
        default:
            
$action 'tbl_row_action.php';
            
$err_url 'tbl_row_action.php?' PMA_generate_common_url($db$table);
            if (!isset(
$mult_btn)) {
                
$original_sql_query $sql_query;
                
$original_url_query $url_query;
                
$original_pos       $pos;
            }
            require(
'./libraries/mult_submits.inc.php');
            
$url_query PMA_generate_common_url($db$table)
                       . 
'&amp;goto=tbl_properties.php';


            
/**
             * Show result of multi submit operation
             */
            // sql_query is not set when user does not confirm multi-delete
            
if ((!empty($submit_mult) || isset($mult_btn)) && isset($sql_query)) {
                
$disp_message $strSuccess;
                
$disp_query $sql_query;
            }

            if (isset(
$original_sql_query)) {
                
$sql_query $original_sql_query;
            }

            if (isset(
$original_url_query)) {
                
$url_query $original_url_query;
            }

            if (isset(
$original_pos)) {
                
$pos       $original_pos;
            }

            
// this is because sql.php could call tbl_properties_structure
            // which would think it needs to call mult_submits.inc.php:
            
unset($submit_mult);
            unset(
$mult_btn);

            
$active_page 'sql.php';
            require(
'./sql.php');

            
/**
             * Displays the footer
             */
            
require_once('./libraries/footer.inc.php');
        break;
    }
}
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0131 ]--