!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/xmigratex/   drwxr-xr-x
Free 51.24 GB of 127.8 GB (40.09%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     arr_people.php (4.13 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php 
$sm
=array( 
array(
'old' =>array('name'=>'Officer''fld'=>array('officerId','officerNameEng','officerSurnameEng','officerEmail','ofPicturePath')),
'new' =>array('name'=>'PersonT''fld'=>array('personId','fName2','lName2','emailAddr','pic')),
'ref' =>array('fld'=>array('-','-','-','-','-')),
'def' =>array('fld'=>array('-','-','-','-','picpath/ofPicturePath/ ')),
'minus' =>array(),
'plus' =>array(),
'sql' =>'?',
'qry' =>" SELECT officerId,officerNameEng,officerSurnameEng,officerEmail,TRIM(REPLACE(ofPicturePath,'../pictureT/',''))
FROM $dbreg.`Officer` 
WHERE ofSitId = 1 AND officerCode NOT IN 
(SELECT personCode FROM $dbppc.`Person` ) 
ORDER BY officerId"
),
array(
'old' =>array('name'=>'Officer''fld'=>array('officerId','officerCode','prefixId','officerName','officerSurname','officerStatus')),
'new' =>array('name'=>'Person''fld'=>array('personId','personCode','prefixId','fName','lName','fStatus')),
'ref' =>array('fld'=>array('-','-','-','-','-','-')),
'def' =>array('fld'=>array('-','-','-','-','-','-')),
'minus' =>array(),
'plus' =>array(),
'sql' =>'?',
'qry' =>" SELECT officerId,officerCode,prefixId,officerName,officerSurname,officerStatus 
FROM $dbreg.`Officer` WHERE ofSitId = 1 AND officerCode NOT IN 
(SELECT personCode FROM $dbppc.`Person` ) ORDER BY officerId"
),

array(
'old' =>array('name'=>'Officer''fld'=>array('-','contactAddress','contactPhone','prefixId','contactPhone','officerName','officerSurname')),
'new' =>array('name'=>'Personout''fld'=>array('outtypeId','address','phone','prefixId','workPhone','fName','lName')),
'ref' =>array('fld'=>array('-','-','-','-','-','-','-')),
'def' =>array('fld'=>array('-','-','-','-','-','-','-')),
'minus' =>array(),
'plus' =>array('0'),
'sql' =>'?',
'qry' => " SELECT 
'3', contactAddress, contactPhone, prefixId, contactPhone, officerName, officerSurname
FROM $dbreg.`Officer` WHERE ofSitId = 2 "
),

array(
'old' =>array('name'=>'Building''fld'=>array('-','-','-','-','-','-','-','-','buildingName')),
'new' =>array('name'=>'spc_Place''fld'=>array('plRmNo','plFloor','plBuilding','plRtId','plIsRoom','plIsDom','plNumFloor','plCapacity','hwName')),
'ref' =>array('fld'=>array('-','-','-','-','-','-','-','-')),
'def' =>array('fld'=>array('default/ /','default/0/','default/NULL/','default/NULL/','default/N/','default/1/','default/0/','-')),
'minus' =>array(),
'plus' =>array('0','1','2','3','4','5','6','7'),
'sql' => '?',
'qry' => " SELECT '','0',NULL,NULL,'N','N','1','0',buildingName 
FROM $dbreg.`Building` WHERE 1  "
),
/* OLD CODE: 'qry' => " SELECT '','0',NULL,NULL,'N','N','1','0',buildingName 
FROM $dbreg.`Building` WHERE buildingName NOT IN 
(SELECT hwName FROM $dbppc.`spc_Place`) " */
array('old' =>array('name'=>'Room''fld'=>array('roomNo','-','buildingId','-','-','-','-','capacity','roomNo')),
'new' =>array('name'=>'spc_Place''fld'=>array('plRmNo','plFloor','plBuilding','plRtId','plIsRoom','plIsDom','plNumFloor','plCapacity','hwName')),
'ref' =>array('fld'=>array('-','-','-','-','-','-','-','-')),
'def' =>array('fld'=>array('-','default/1/','-','default/1/','default/Y/','default/0/','-','-')),
'minus' =>array(),
'plus' =>array('1','3','4','5'),
'sql' => '?',
'qry' => " SELECT roomNo,'1',buildingId,'1','Y','N','1',capacity,roomNo 
FROM $dbreg.`Room` WHERE 1 "
),
/* OLD CODE: 'qry' => " SELECT roomNo,'1',buildingId,'1','Y','N','1',capacity,roomNo 
FROM $dbreg.`Room` WHERE roomNo NOT IN 
(SELECT hwName FROM $dbppc.`spc_Place`) " */

array('old' =>array('name'=>'Dom''fld'=>array('-','-','-','-','-','-','-','-','domName')),
'new' =>array('name'=>'spc_Place''fld'=>array('plRmNo','plFloor','plBuilding','plRtId','plIsRoom','plIsDom','plNumFloor','plCapacity','hwName')),
'ref' =>array('fld'=>array('-','-','-','-','-','-','-','-')),
'def' =>array('fld'=>array('default/ /','default/1/','default/NULL/','default/NULL/','default/N/','default/1/','default/0/','-')),
'minus' =>array(),
'plus' =>array('0','1','2','3','4','5','6','7'),
'sql' => '?',
'qry' => " SELECT '','1',NULL,NULL,'N','Y','1','0',domName 
FROM $dbreg.`Dom` WHERE 1 "
)
); 
/* OLD CODE: 'qry' => " SELECT '','1','NULL','28','N','Y','1','0',domName 
FROM $dbreg.`Dom` WHERE domName NOT IN 
(SELECT hwName FROM $dbppc.`spc_Place`) "*/
/*

*/
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0186 ]--