!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/controllers/eregis-12022565/   drwxrwxrwx
Free 50.99 GB of 127.8 GB (39.9%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     faq.php (12.85 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
include('rg_controller.php');
class 
Faq extends Rg_controller {

    function 
__construct() {
        
parent::__construct();
        if(
strpos($this->config->item('rg_wg_faq'), $this->session->userdata('UsWgID')) === false) {
            
redirect("logout");
        }
    }

    function 
showFaq() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_faq','faq');
    
        
$this->faq->faqId $this->input->post('faqId');
        
$this->contents['qu_faq'] = $this->faq->get_by_key();

        
$this->contents['max_faqId'] = $this->faq->qryMaxFaqId();
        
$this->contents['rs_faq'] = $this->faq->qryFaq();

        
$this->output($this->config->item("rg_folder")."v_showFaq");
    }

    function 
faq_insert_update() {
        
$this->load->library('form_validation');
        
$this->form_validation->set_error_delimiters('<div class="error">','</div>');
        
$this->form_validation->set_rules('fagId',' ','trim|xss_clean');
        
$this->form_validation->set_rules('faqQuestion','คำถาม','trim|required|xss_clean');
        
$this->form_validation->set_rules('faqAnswer','คำตอบ','trim|required|xss_clean');

        if(
$this->form_validation->run() == true) {
            
$this->db->trans_begin();
            
$this->load->model($this->config->item("rg_folder").'mo_rg_faq','faq');
                
            
$faqId $this->input->post('faqId');
            
$faqQuestion $this->input->post('faqQuestion');
            
$faqAnswer $this->input->post('faqAnswer');

            
$this->faq->faqId $faqId;
            
$qu_faq $this->faq->get_by_key();
            if(
$qu_faq->num_rows()) {
                
$con_rs_faq = array('faqQuestion'    => $faqQuestion,
                                    
'faqAnswer'        => $faqAnswer);
                
$rs_faq $this->faq->qryFaqNotId($con_rs_faq,$faqId);
                if(!
$rs_faq->num_rows()) {
                    
$this->faq->faqQuestion $faqQuestion;
                    
$this->faq->faqAnswer $faqAnswer;
                    
$this->faq->update();
                }
            } else {
                
$con_rs_faq = array('faqQuestion'    => $faqQuestion,
                                    
'faqAnswer'        => $faqAnswer);
                
$rs_faq $this->faq->qryFaq($con_rs_faq);
                if(!
$rs_faq->num_rows()) {
                    
$this->faq->faqId "";
                    
$this->faq->faqQuestion $faqQuestion;
                    
$this->faq->faqAnswer $faqAnswer;
                    
$this->faq->insert();
                }
            }

            if(
$this->db->trans_status() === false) {
                
$this->db->trans_rollback();
            } else {
                
$this->db->trans_commit();
            }

            
redirect($this->config->item("rg_folder")."faq/showFaq");
        } else {
            
$this->showFaq();
        }
    }

    function 
faq_delete() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_faq','faq');

        
$this->faq->faqId $this->input->post('faqId');
        
$this->faq->delete();

        
redirect($this->config->item("rg_folder")."faq/showFaq");
    }

    function 
nw_show() {
        
$this->load->model($this->config->item("ums_folder").'m_umsystem','sys');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');

        
$sys $this->sys->qrySystemInEERP();
        if(
$sys->num_rows()) {
            
$opt[''] = '';
            foreach(
$sys->result() as $row_sys) {
                
$opt[$row_sys->StID] = $row_sys->StNameT;
            }
        }
        
// กรณี update
        
$nwId $this->input->post('nwId');
        
$con_qu_nw = array('nwId'    => $nwId);
        
$this->contents['qu_nw'] = $this->nw->qryNw($con_qu_nw);
        
// จบกรณี update

        
$this->contents['rs_nw'] = $this->nw->qryNwBetweenDateOrderDateDesc(getNowDate());
        
$this->contents['rs_sys'] = $opt;

        
$this->output($this->config->item("rg_folder")."v_showNews");
    }
    
    function 
nw_insert_update() {
        
$this->load->library('form_validation');
        
$this->form_validation->set_error_delimiters('<div class="error">','</div>');
        
$this->form_validation->set_rules('nwTitle',' ','trim|required|xss_clean');
        
$this->form_validation->set_rules('nwSystem',' ','trim|required|xss_clean');
        
$this->form_validation->set_rules('nwFrDate',' ','trim|callback_checkFrDate[nwToDate]|xss_clean');
        
$this->form_validation->set_rules('nwToDate',' ','trim|xss_clean');
        
$this->form_validation->set_rules('nwPicture',' ','trim|xss_clean');
        
$this->form_validation->set_rules('nwAnnoucedBy',' ','trim|required|xss_clean');
        
$this->form_validation->set_rules('nwDetail',' ','trim|required|xss_clean');
        
$this->form_validation->set_rules('nwId',' ','trim|xss_clean');

        
// อัพรูปข่าวประกาศ
        
$this->load->library('upload');
        foreach(
$_FILES as $key => $value) {
            if(
$value['name']!="") {    // เช็คว่า browse file จริง
                
$config['upload_path'] = $this->config->item('rg_upload_pictureNews');
                
$config['allowed_types'] = 'jpg|gif';
                
$config['max_size']    = $this->config->item('rg_upload_size');
                
$config['max_width'] = $this->config->item('rg_allowed_width');
                
$config['max_height'] = $this->config->item('rg_allowed_height');

                
$config['file_name'] = 'nw_'.date('dmY_His');
                
$this->upload->initialize($config);
                if (
$this->upload->do_upload($key)){
                    
$data = array('upload_data' => $this->upload->data());
                    
$path $data['upload_data']['file_name'];
                } else {
                    
$error = array('error' => $this->upload->display_errors());
                    
$this->form_validation->set_rules('nwPicture'trim($error['error']), 'callback_checkupload');
                }
            }
        }
        
// สิ้นสุดการอัพโหลดข่าวประกาศ

        
if($this->form_validation->run() == true) {
            
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');

            
$nwId $this->input->post('nwId');
            
$nwTitle $this->input->post('nwTitle');
            
$nwSystem $this->input->post('nwSystem');
            
$nwFrDate splitDateForm2($this->input->post('nwFrDate'),'-');
            
$nwToDate splitDateForm2($this->input->post('nwToDate'),'-');
            
$nwPicture = ($value['name']!="") ? $path "";
            
$nwAnnoucedBy $this->input->post('nwAnnoucedBy');
            
$nwDetail $this->input->post('nwDetail');
            
$nwCreateDate getNowDate();

            
$this->db->trans_begin();
            if(
$nwId==0) {
                
$con_qu_nw = array('nwTitle'        => $nwTitle,
                                   
'nwSystem'        => $nwTitle,
                                   
'nwCreateDate'    => $nwCreateDate."%");
                
$qu_nw $this->nw->qryNw($con_qu_nw);
                if(
$qu_nw->num_rows()==0) {
                    
$this->nw->nwId "";
                    
$this->nw->nwSystem $nwSystem;
                    
$this->nw->nwTitle $nwTitle;
                    
$this->nw->nwFrDate $nwFrDate;
                    
$this->nw->nwToDate $nwToDate;
                    
$this->nw->nwAnnoucedBy $nwAnnoucedBy;
                    
$this->nw->nwPicture $nwPicture;
                    
$this->nw->nwDetail $nwDetail;
                    
$this->nw->nwCreateDate date('Y-m-d H:i:s');
                    
$this->nw->nwCreateUserId $this->session->userdata('UsLogin');
                    
$this->nw->nwUpdateDate date('Y-m-d H:i:s');
                    
$this->nw->nwUpdateUserId $this->session->userdata('UsLogin');
                    
$this->nw->nwWorkFor NULL;
                    
$this->nw->insert();

                    
$id $this->nw->last_insert_id();
                }
            } else {
                
$this->nw->nwId $nwId;
                
$this->nw->get_by_key(TRUE);

                
$this->nw->nwSystem $nwSystem;
                
$this->nw->nwTitle $nwTitle;
                
$this->nw->nwFrDate $nwFrDate;
                
$this->nw->nwToDate $nwToDate;
                
$this->nw->nwAnnoucedBy $nwAnnoucedBy;
                
$this->nw->nwPicture $nwPicture;
                
$this->nw->nwDetail $nwDetail;
                
$this->nw->nwCreateDate date('Y-m-d H:i:s');
                
$this->nw->nwCreateUserId $this->session->userdata('UsLogin');
                
$this->nw->nwUpdateDate date('Y-m-d H:i:s');
                
$this->nw->nwUpdateUserId $this->session->userdata('UsLogin');
                
$this->nw->update();

                
$id $nwId;
            }

            if(
$this->db->trans_status() === false) {
                
$this->db->trans_rollback();
            } else {
                
$this->db->trans_commit();
            }
            
redirect($this->config->item("rg_folder")."faq/nw_attachFile/$id");
        } else {
            
$this->load->vars(array('passvalid'    => 1));
            
$this->nw_show();
        }
    }

    function 
nw_attachFile($id=0) {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$this->nw->nwId $id;
        
$this->contents['qu_nw'] = $this->nw->get_by_key();

        
$con_rs_nwu = array('nwuNwId'    => $id);
        
$this->contents['rs_nwu'] = $this->nwu->qryNwu($con_rs_nwu);

        
$this->output($this->config->item("rg_folder")."v_NewsFileAttach");
    }

    function 
checkDocName($str) {
        
// ชื่อเอกสาร : $str
        
$nwId $this->input->post('nwId');

        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        if(
$str=="") {
            
$this->form_validation->set_message('checkDocName','กรุณาป้อน%s');
            return 
false;
        } else {
            
$con_rs_nwu = array('nwuFileName'    => $str,
                                
'nwuNwId'        => $nwId);
            
$rs_nwu $this->nwu->qryNwu($con_rs_nwu);
            if(
$rs_nwu->num_rows()) {
                
$this->form_validation->set_message('checkDocName','ชื่อเอกสารซ้ำ กรุณาป้อนชื่อใหม่');
                return 
false;
            } else {
                return 
true;
            }
        }
    }

    function 
nw_attachFile_insert_update() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$this->load->library('form_validation');
        
$this->form_validation->set_error_delimiters('<div class="error">','</div>');
        
$this->form_validation->set_rules('nwId',' ','trim|required|xss_clean');
        
$this->form_validation->set_rules('docName',' ','trim|required|callback_checkDocName|xss_clean');
        
$this->form_validation->set_rules('docFile',' ','trim|xss_clean');

        
$this->load->library('upload');
        foreach(
$_FILES as $key => $value) {
            
$config['upload_path'] = $this->config->item('rg_upload_docNews');
            
$config['allowed_types'] = '*';
            
$config['max_size'] = $this->config->item('rg_upload_maxsize');
            
$config['file_name'] = "file_".date('dmY_His');

            
$this->upload->initialize($config);
            if (
$this->upload->do_upload($key)){
                
$data = array('upload_data' => $this->upload->data());
                
$path $data['upload_data']['file_name'];
            } else {
                
$error = array('error' => $this->upload->display_errors());
                
$this->form_validation->set_rules('docFile'trim($error['error']), 'callback_checkupload');
            }
        }
        
// ************ upload file
        
$nwId $this->input->post('nwId');
        if(
$this->form_validation->run() == true) {
            
$this->db->trans_begin();

            
// ตรวจสอบชื่อเอกสาร
            
$con_rs_nwu = array('nwuNwId'    => $nwId,
                                
'nwuFileName'    => $this->input->post('docName'));
            
$rs_nwu $this->nwu->qryNwu($con_rs_nwu);
            
$file_version $rs_nwu->num_rows();
            
// จบตรวจสอบชื่อเอกสาร

            
$this->nwu->nwuId "";
            
$this->nwu->nwuSeq $this->nwu->getNextSeqByNwuNwId($nwId);
            
$this->nwu->nwuNwId $nwId;
            
$this->nwu->nwuFileName $this->input->post('docName').(($file_version==0) ? "" "[".$file_version."]");
            
$this->nwu->nwuPath $path;
            
$this->nwu->nwuCreateDate date('Y-m-d H:i:s');
            
$this->nwu->nwuUserId $this->session->userdata('UsLogin');
            
$this->nwu->insert();

            if(
$this->db->trans_status() === false) {
                
$this->db->trans_rollback();
            } else {
                
$this->db->trans_commit();
            }

            
redirect($this->config->item("rg_folder")."faq/nw_attachFile/$nwId");
        } else {
            
$this->nw_attachFile($nwId);
        }
    }

    function 
nwu_deleteFile() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$nwuId $this->input->post('nwuId');
        
$nwuNwId $this->input->post('nwuNwId');

        
$this->nwu->nwuId $nwuId;
        
$this->nwu->delete();

        
redirect($this->config->item("rg_folder")."faq/nw_attachFile/$nwuNwId");
    }
    function 
nw_showDetail() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$nwId $this->input->post('nwId');

        
$con_qu_nw = array('nwId'    => $nwId);
        
$this->contents['qu_nw'] = $this->nw->qryNwJoinUmsystem($con_qu_nw);

        
$con_rs_nwu = array('nwuNwId'    => $nwId);
        
$this->contents['rs_nwu'] = $this->nwu->qryNwu($con_rs_nwu);

        
$this->output_detail($this->config->item("rg_folder")."v_showDetailNews");
    }
    function 
nw_delete() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$nwId $this->input->post('nwId');

        
$con_rs_nw = array('nwuNwId'    => $nwId);
        
$this->nwu->delNwu($con_rs_nw);
        
        
$this->nw->nwId $nwId;
        
$this->nw->delete();

        
redirect($this->config->item('rg_folder').'faq/nw_show');
    }
    function 
nw_showAll() {
        
$this->load->model($this->config->item("ums_folder").'m_umsystem','sys');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');

        
$sys $this->sys->qrySystemInEERP();
        if(
$sys->num_rows()) {
            
$i 0;
            foreach(
$sys->result() as $row_sys) {
                if(
$i==0) {
                    
$chksys $row_sys->StID;
                    
$this->contents['chksys'] = $chksys;
                }

                
$opt[$row_sys->StID] = $row_sys->StNameT;

                
$i++;
            }
        }

        
$sys $this->input->post('nwSystem');
        if(
$sys!="") {
            
$chksys $this->input->post('nwSystem');
            
$this->contents['chksys'] = $chksys;
        }
        
$con_rs_nw = array('nwSystem'    => $chksys);
        
$ord_rs_nw = array('nwToDate'    => 'DESC');
        
$this->contents['rs_nw'] = $this->nw->qryNwJoinUmsystem($con_rs_nw$ord_rs_nw);
        
$this->contents['rs_sys'] = $opt;

        
$this->output($this->config->item("rg_folder")."v_NewsShowAll");
    }
}
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0187 ]--