!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/controllers/esa/   drwxr-xr-x
Free 50.99 GB of 127.8 GB (39.9%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     search.php (6.91 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
include("sa_controller.php");
class 
search extends Sa_controller {

    function 
search() {
        
parent::__construct();
    }

    function 
js_thai_encode($data)  
    {   
// fix all thai elements  
        
if (is_array($data))  
        {  
            foreach(
$data->result_array() as $a => $b)  
            {  
                if (
is_array($data[$a]))  
                {  
                    
$data[$a] = js_thai_encode($data[$a]);  
                }  
                else  
                {  
                    
$data[$a] = iconv("tis-620","utf-8",$b);  
                }  
            }  
        }  
        else  
        {  
            
$data =iconv("tis-620","utf-8",$data);  
        }  
        return 
$data;  
    }  

    function 
searchTeacher(){
            
$this->output_popup("v_popSearchTeacher",'');
    }
    
    function 
searchTeacher2(){
        
$this->output_popup("v_popSearchTeacher2",'');
    }
    
    function 
get_std_list(){
        
$this->load->model($this->config->item('sa_folder').'sa_student_model','std');
        echo 
$this->std->getList();
    }

    function 
get_std_json($acY=''){

        
$this->load->model($this->config->item('sa_folder').'regist_model','std');
        
$this->std->rgAcY $acY;
        
$query $this->std->list_std();
//echo $this->db->last_query();
    /*  แสดงผลลัพธ์ในรูปแบบ json
        caption : ตัวเลือกที่แสดงผลในหน้าจอ 
        value   : ค่าที่จะส่งไปเมื่อ submit
    */
        
$json "[";
        foreach (
$query->result() as $row){
            
$json.= "{ \"caption\" : \"$row->stdCode: $row->stdName $row->stdSurname \" ,\"value\":$row->stdId}, ";
        }
        
$json substr($json,0,strlen($json)-2);
        
$json.= "]";    

        echo  
$json ;
    }

    function 
get_prs_list(){
        
$this->load->model($this->config->item('sa_folder').'sa_student_model','std');
        echo 
$this->std->getList();
    }

    function 
get_crs_list(){
        
$this->load->model($this->config->item('sa_folder').'sa_student_model','std');
        echo 
$this->std->getListCrs();
    }

    function 
get_mstd_list(){
        
$this->load->model($this->config->item('rg_folder').'mo_rg_student','std');

        
/*$con_rs_std = array('stdSstId' => 1,
            'sdtSex' => 'M',
            'sdtRtId' => 1
        );*/
        //$rs_std = $this->std->qryStdJoinSdt($con_rs_std);
        
$rs_std $this->std->qryStdJoinSdtForMil();
        
$s "[";
        foreach (
$rs_std->result() as $row) {
            
$s.= "\"$row->stdCode: $row->stdName $row->stdSurname\", ";
        }
        
$s substr($s,0,strlen($s)-2);
        
$s.= "]";
        echo 
$s;
    }

    function 
get_tgstd_list($dpj_id){
        
$this->load->model($this->config->item('sa_folder').'sa_target_group_model','tg');
        
$this->load->model($this->config->item('rg_folder').'mo_rg_student','std');

        
$s "[";

        
$this->tg->tg_dpj_id $dpj_id;
        
$this->tg->tg_type 1;
        
$rs_dpj $this->tg->get_by_dpj_type();
        foreach (
$rs_dpj->result() as $row_dpj) {
            
$con_rs_std = array('stdSstId' => 1);
            if (
$row_dpj->tg_cur_id) {
                
$con_rs_std['stdCurId'] = $row_dpj->tg_cur_id;
            }
            if (
$row_dpj->tg_tm_id) {
                
$con_rs_std['stdSyId'] = $row_dpj->tg_tm_id;
            }
            
$rs_std $this->std->qryStdJoinSdt($con_rs_std);
            foreach (
$rs_std->result() as $row) {
                
$s.= "\"$row->stdCode: $row->stdName $row->stdSurname\", ";
            }
        }

        
$s substr($s,0,strlen($s)-2);
        
$s.= "]";
        echo 
$s;
    }

    function 
get_ps_list(){
        
$fname = ($this->input->post('name_search')) ? $this->input->post('name_search') : $this->input->post('name_search2');
        
$lname = ($this->input->post('lname_search')) ? $this->input->post('lname_search') : $this->input->post('lname_search2');
        
$this->load->model($this->config->item("ppc_folder").'mo_person','ps');
        
$data['ps'] = $this->ps->qrySearchPrs($fname$lname);
        if(
$this->input->post('name_search') || $this->input->post('lname_search')) {
            
$this->output_popup("v_popSearchTeacher",$data);
        } else {
            
$this->output_popup("v_popSearchTeacher2",$data);
        }
    }

    function 
get_ps_list1(){
        
$this->load->model($this->config->item('sa_folder').'sa_person_model','ps');
        echo 
$this->ps->getListTe();
    }

    function 
searchStudent(){
        
$this->output_popup("v_pop_search_std",'');
    }

    function 
search_std(){
        
$this->load->model($this->config->item('sa_folder').'sa_student_model','std');
        
$std $this->std;
        
$std->std_name $this->input->post('name_search');
        
$std->std_surname $this->input->post('lname_search');
        
$std->std_code $this->input->post('code_search');
        
$data['std'] = $std->getList2();
        
$this->output_popup("v_pop_search_std",$data);
    }

    function 
get_cur_option($acY='',$cur=0,$sy=0){

        
$this->load->model($this->config->item('sa_folder').'regist_model','cur');
        
$this->cur->AcY $acY;
        
$this->cur->CurId = ($cur!=)?$cur:'';
        
$this->cur->SyId = ($sy!=)?$sy:'';
        
$query $this->cur->get_rgCur();

        
$options = array();
        
$options[''] = '-- ทุกหลักสูตร --';
        foreach(
$query->result() as $row){
            
$options[$row->curId] = $row->curName;
        }
        
$js 'id="curId" onChange="getSy();"';

        echo 
form_dropdown('curId'$options''$js);

        return 
$query;
    }

    function 
get_sy_option($acY='',$cur=0,$sy=0){
        
$this->load->model($this->config->item('sa_folder').'regist_model','cur');
        
$this->cur->AcY $acY;
        
$this->cur->CurId = ($cur!=)?$cur:'';
        
$this->cur->SyId = ($sy!=)?$sy:'';
        
$query $this->cur->get_rgSy();

        
$options = array();
        
$options[''] = '-- ทุกชั้นปี --';
        foreach(
$query->result() as $row){
            
$options[$row->syId] = $row->syName;
        }
        
$js 'id="syId" ';//onChange="getCur();"

        
echo form_dropdown('syId'$options''$js);

    }

    function 
get_position(){
        
$this->load->model($this->config->item('sa_folder').'sa_smo_club_model','sc');
        
$smo_id $this->input->get_post('smo_id',TRUE);
        
$cl_id $this->input->get_post('cl_id',TRUE);
        
$pos_id $this->input->get_post('pos_id',TRUE);
        
$sc_id = ($cl_id!='')?$cl_id:$smo_id;
        
$this->sc->sc_id $sc_id;
        
$query $this->sc->get_position();
        
$options = array();
        
$options[''] = '-- เลือกตำแหน่ง--';
        foreach(
$query->result() as $row){
            
$options[$row->pos_id] = $row->pos_name;
        }
        
$js 'id="posId" ';//onChange="getCur();"
        
echo form_dropdown('pos_id'$options$pos_id$js). "<span class='error'> *</span>";
    }

    function 
test(){
        
$smo_id $this->input->get_post('smo_id',TRUE);
        
$cl_id $this->input->get_post('cl_id',TRUE);
        
$year $this->input->get_post('year',TRUE);
        
$data 'controller search/test </br>';
        
$data.= "smo_id : $smo_id </br> cl_id : $cl_id </br> year : $year ";
        echo 
$data;
    }

}

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0204 ]--