!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/nusoap/   drwxr-xr-x
Free 51 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     server.php (10.07 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<? 
    
//Pull in the NuSOAP code
    
require_once('lib/nusoap/nusoap.php');
    
    
//Create the server instance
    
$server = new soap_server();

    
//Register the method to expose
    
$server->register('test');
    
$server->register('getResearchID');
    
$server->register('getResearchTB');    
    
$server->register('getResearchCharTB');
    
$server->register('getResearchFileTB');
    
$server->register('getResearchPublicTB');
    
$server->register('getResearchSuccessTB');

    
//Define the method as a PHP function
    
function test(){                
        
$txt "Hello World";
        return 
$txt;
    }
    
    function 
getResearchID($tableName){
        include_once 
"../include/Config.php";
        include_once 
"class/clsConnection.php";
        include_once 
"class/clsDB.php";

        
$hostname $ServerName;
        
$dbname $DataBaseName;
        
$username $UserName;
        
$password $UserPassword;
        
$conn = new clsConnection("$hostname","$dbname","$username","$password");
        
$sql "select * from $tableName";
        
$result mysql_query($sql);
        
$row mysql_num_rows($result);
        
        switch(
$tableName){
            case 
"research_tb" :
                for(
$i=0;$i<$row;$i++){
                    
$researchID $i == mysql_result($result,$i,"Research_code") : $researchID.",".mysql_result($result,$i,"Research_code");
                }
                break;
            
            case 
"research_char_tb" :
                for(
$i=0;$i<$row;$i++){
                    
$researchID $i == mysql_result($result,$i,"RecharId") : $researchID.",".mysql_result($result,$i,"RecharId");
                }
                break;
            
            case 
"research_file_tb" :
                for(
$i=0;$i<$row;$i++){
                    
$researchID $i == mysql_result($result,$i,"Research_Id") : $researchID.",".mysql_result($result,$i,"Research_Id");                    
                }
                break;
            
            case 
"research_public_tb" :
                for(
$i=0;$i<$row;$i++){
                    
$researchID $i == mysql_result($result,$i,"RepbCo") : $researchID.",".mysql_result($result,$i,"RepbCo");                    
                }
                break;
            
            case 
"research_success_tb" :
                for(
$i=0;$i<$row;$i++){
                    
$researchID $i == mysql_result($result,$i,"ResuccessId") : $researchID.",".mysql_result($result,$i,"ResuccessId");
                }
                break;            
        }        
        return 
$researchID;                
    }

    function 
getResearchTB($researchCode){
        include_once 
"../include/Config.php";
        include_once 
"class/clsConnection.php";
        include_once 
"class/clsDB.php";

        
$hostname $ServerName;
        
$dbname $DataBaseName;
        
$username $UserName;
        
$password $UserPassword;
        
$conn = new clsConnection("$hostname","$dbname","$username","$password");
        
$sql "select * from research_tb where Research_code = '$researchCode' limit 1";
        
$result mysql_query($sql);        
        
$data[0] = base64_encode(mysql_result($result,0,0));
        
$data[1] = base64_encode(mysql_result($result,0,1));
        
$data[2] = base64_encode(mysql_result($result,0,2));
        
$data[3] = base64_encode(mysql_result($result,0,3));
        
$data[4] = base64_encode(mysql_result($result,0,4));
        
$data[5] = base64_encode(mysql_result($result,0,5));
        
$data[6] = base64_encode(mysql_result($result,0,6));
        
$data[7] = base64_encode(mysql_result($result,0,7)); 
        
$data[8] = base64_encode(mysql_result($result,0,8)); 
        
$data[9] = base64_encode(mysql_result($result,0,9));
        
$data[10] = base64_encode(mysql_result($result,0,10));
        
$data[11] = base64_encode(mysql_result($result,0,11));
        
$data[12] = base64_encode(mysql_result($result,0,12));
        
$data[13] = base64_encode(mysql_result($result,0,13));
        
$data[14] = base64_encode(mysql_result($result,0,14));
        
$data[15] = base64_encode(mysql_result($result,0,15));
        
$data[16] = base64_encode(mysql_result($result,0,16)); 
        
$data[17] = base64_encode(mysql_result($result,0,17));
        
$data[18] = base64_encode(mysql_result($result,0,18));
        
$data[19] = base64_encode(mysql_result($result,0,19));
        
$data[20] = base64_encode(mysql_result($result,0,20));
        
$data[21] = base64_encode(mysql_result($result,0,21));
        
$data[22] = base64_encode(mysql_result($result,0,22));
        
$data[23] = base64_encode(mysql_result($result,0,23));
        
$data[24] = base64_encode(mysql_result($result,0,24));
        
$data[25] = base64_encode(mysql_result($result,0,25)); 
        
$data[26] = base64_encode(mysql_result($result,0,26));
        
$data[27] = base64_encode(mysql_result($result,0,27));
        
$data[28] = base64_encode(mysql_result($result,0,28));
        
$data[29] = base64_encode(mysql_result($result,0,29));
        
$data[30] = base64_encode(mysql_result($result,0,30));
        
$data[31] = base64_encode(mysql_result($result,0,31));
        
$data[32] = base64_encode(mysql_result($result,0,32));
        
$data[33] = base64_encode(mysql_result($result,0,33));
        
$data[34] = base64_encode(mysql_result($result,0,34));        
        
$conn->Disconnect();        
        return 
$data;
    }    

    function 
getResearchCharTB($researchCode){
        include_once 
"../include/Config.php";
        include_once 
"class/clsConnection.php";
        include_once 
"class/clsDB.php";

        
$hostname $ServerName;
        
$dbname $DataBaseName;
        
$username $UserName;
        
$password $UserPassword;
        
$conn = new clsConnection("$hostname","$dbname","$username","$password");
        
$sql "select * from research_char_tb where RecharId = '$researchCode' limit 1";
        
$result mysql_query($sql);
        
$data[0] = base64_encode(mysql_result($result,0,0));
        
$data[1] = base64_encode(mysql_result($result,0,1));
        
$data[2] = base64_encode(mysql_result($result,0,2));
        
$data[3] = base64_encode(mysql_result($result,0,3));
        
$data[4] = base64_encode(mysql_result($result,0,4));
        
$data[5] = base64_encode(mysql_result($result,0,5));
        
$data[6] = base64_encode(mysql_result($result,0,6));
        
$conn->Disconnect();        
        return 
$data;
    }
    
    function 
getResearchFileTB($researchCode){
        include_once 
"../include/Config.php";
        include_once 
"class/clsConnection.php";
        include_once 
"class/clsDB.php";

        
$hostname $ServerName;
        
$dbname $DataBaseName;
        
$username $UserName;
        
$password $UserPassword;
        
$conn = new clsConnection("$hostname","$dbname","$username","$password");
        
$sql "select * from research_file_tb where Research_Id = '$researchCode' limit 1";
        
$result mysql_query($sql);
        
$data[0] = base64_encode(mysql_result($result,0,0));
        
$data[1] = base64_encode(mysql_result($result,0,1));
        
$data[2] = base64_encode(mysql_result($result,0,2));
        
$data[3] = base64_encode(mysql_result($result,0,3));
        
$data[4] = base64_encode(mysql_result($result,0,4));
        
$data[5] = base64_encode(mysql_result($result,0,5));
        
$data[6] = base64_encode(mysql_result($result,0,6));
        
$data[7] = base64_encode(mysql_result($result,0,7)); 
        
$data[8] = base64_encode(mysql_result($result,0,8)); 
        
$data[9] = base64_encode(mysql_result($result,0,9));
        
$data[10] = base64_encode(mysql_result($result,0,10));
        
$data[11] = base64_encode(mysql_result($result,0,11));
        
$conn->Disconnect();        
        return 
$data;
    }
    
    function 
getResearchPublicTB($researchCode){
        include_once 
"../include/Config.php";
        include_once 
"class/clsConnection.php";
        include_once 
"class/clsDB.php";

        
$hostname $ServerName;
        
$dbname $DataBaseName;
        
$username $UserName;
        
$password $UserPassword;
        
$conn = new clsConnection("$hostname","$dbname","$username","$password");
        
$sql "select * from research_public_tb where RepbCo = '$researchCode' limit 1";
        
$result mysql_query($sql);
        
$data[0] = base64_encode(mysql_result($result,0,0));
        
$data[1] = base64_encode(mysql_result($result,0,1));
        
$data[2] = base64_encode(mysql_result($result,0,2));
        
$data[3] = base64_encode(mysql_result($result,0,3));
        
$data[4] = base64_encode(mysql_result($result,0,4));
        
$data[5] = base64_encode(mysql_result($result,0,5));
        
$data[6] = base64_encode(mysql_result($result,0,6));
        
$data[7] = base64_encode(mysql_result($result,0,7)); 
        
$data[8] = base64_encode(mysql_result($result,0,8)); 
        
$data[9] = base64_encode(mysql_result($result,0,9));
        
$data[10] = base64_encode(mysql_result($result,0,10));
        
$data[11] = base64_encode(mysql_result($result,0,11));
        
$data[12] = base64_encode(mysql_result($result,0,12));
        
$data[13] = base64_encode(mysql_result($result,0,13));
        
$data[14] = base64_encode(mysql_result($result,0,14));
        
$data[15] = base64_encode(mysql_result($result,0,15));
        
$data[16] = base64_encode(mysql_result($result,0,16)); 
        
$data[17] = base64_encode(mysql_result($result,0,17));
        
$data[18] = base64_encode(mysql_result($result,0,18));
        
$data[19] = base64_encode(mysql_result($result,0,19));
        
$data[20] = base64_encode(mysql_result($result,0,20));
        
$data[21] = base64_encode(mysql_result($result,0,21));
        
$data[22] = base64_encode(mysql_result($result,0,22));
        
$data[23] = base64_encode(mysql_result($result,0,23));
        
$data[24] = base64_encode(mysql_result($result,0,24));
        
$data[25] = base64_encode(mysql_result($result,0,25)); 
        
$data[26] = base64_encode(mysql_result($result,0,26));
        
$data[27] = base64_encode(mysql_result($result,0,27));
        
$data[28] = base64_encode(mysql_result($result,0,28));
        
$data[29] = base64_encode(mysql_result($result,0,29));
        
$data[30] = base64_encode(mysql_result($result,0,30));
        
$data[31] = base64_encode(mysql_result($result,0,31));
        
$data[32] = base64_encode(mysql_result($result,0,32));
        
$data[33] = base64_encode(mysql_result($result,0,33));    
        
$conn->Disconnect();        
        return 
$data;
    }

    function 
getResearchSuccessTB($researchCode){
        include_once 
"../include/Config.php";
        include_once 
"class/clsConnection.php";
        include_once 
"class/clsDB.php";

        
$hostname $ServerName;
        
$dbname $DataBaseName;
        
$username $UserName;
        
$password $UserPassword;
        
$conn = new clsConnection("$hostname","$dbname","$username","$password");
        
$sql "select * from research_success_tb where ResuccessId = '$researchCode' limit 1";
        
$result mysql_query($sql);
        
$data[0] = base64_encode(mysql_result($result,0,0));
        
$data[1] = base64_encode(mysql_result($result,0,1));
        
$data[2] = base64_encode(mysql_result($result,0,2));
        
$data[3] = base64_encode(mysql_result($result,0,3));
        
$data[4] = base64_encode(mysql_result($result,0,4));
        
$data[5] = base64_encode(mysql_result($result,0,5));
        
$conn->Disconnect();        
        return 
$data;
    }

    
//Use the request to (try to) invoke the service
    
$HTTP_RAW_POST_DATA = isset($HTTP_RAW_POST_DATA) ? $HTTP_RAW_POST_DATA '';
    
$server->service($HTTP_RAW_POST_DATA);

?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0143 ]--