!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/mistk/mistk/eoffice/admin/   drwxr-xr-x
Free 50.89 GB of 127.8 GB (39.82%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     testsend.php (7.34 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
include_once "template.php";
include_once "../class/clsTable.php";
include_once "../class/clsDepartment.php";
include_once "../class/clsPerson.php";
include_once "../link/function.php";
include_once "../link/functionshow.php";
include_once "../class/clsDocLinePosition.php";
include_once "../class/clsDocLineConfig.php";
include_once "../class/clsReceiveSendType.php";
include_once "../class/clsDocType.php";
include_once "../class/clsDocSpeedLevel.php";
include_once "../class/clsDocSecreLevel.php";
include_once "../class/clsDocattatchesTmp.php";
include_once "../class/clsDocuments.php";
include_once "../class/clsDocattatches.php";
include_once "../class/clsDocReceiveSend.php";
include_once "../class/clsProposeType.php";
include_once "funct.php";
include_once "../class/clsDocSendtoPsTmp.php";
include_once "../class/clsannounceDocType.php";
include_once "../class/clsannounceDocType.php";
include_once "../class/clspsdept.php";
include_once "../class/clsDocWSign.php";
include_once "getPrefix.php";


$oC = new clsConnection($GLOBALS['DBHOST'], $GLOBALS['DBNAME_EOFFICE'], $GLOBALS['DBUSER_EOFFICE'], $GLOBALS['DBPASS_EOFFICE']);

$oDP = new Department($oC);
$oDP2 = new Department($oC);
$oDP3 = new Department($oC);
$oDP4 = new Department($oC);
$oDP5 = new Department($oC);
$oDPt = new Department($oC);
$oDPt2 = new Department($oC);
$oDPt3 = new Department($oC);
$oDPt4 = new Department($oC);
$oPS = new person($oC);
$oPS2 = new person($oC);
$oPS3 = new person($oC);
$oPS4 = new person($oC);
$oPS5 = new person($oC);
$oPS6 = new person($oC);
$oPS7 = new person($oC);
$oUG = new umgroup($oCu);
$oDlc = new DocLineConfig($oC);
$oDlc2 = new DocLineConfig($oC);
$oDlc3 = new DocLineConfig($oC);
$oDlc4 = new DocLineConfig($oC);
$oDlc5 = new DocLineConfig($oC);
$oDlc6 = new DocLineConfig($oC);
$oDlp = new docLinePosition($oC);
$oDlp1 = new docLinePosition($oC);
$oDlp2= new docLinePosition($oC);
$oRSt = new receiveSendType($oC);
$oDt = new doctype($oC);
$oDsl = new DocSpeedLevel($oC);
$oDcl = new DocSecretLevel($oC);
$oDtmp = new DocattatchesTmp($oC);
$oDoc = new Documents($oC);
$oDoc2 = new Documents($oC);
$oDoc3 = new Documents($oC);
$oDoc4 = new Documents($oC);
$oDoc5 = new Documents($oC);
$oDatt = new Docattatches($oC);
$oRs = new DocReceiveSend($oC);
$oRs1 = new DocReceiveSend($oC);
$oRs2 = new DocReceiveSend($oC);
$oRs3 = new DocReceiveSend($oC);
$oRs4 = new DocReceiveSend($oC);
$oRs6 = new DocReceiveSend($oC);
$oRs7 = new DocReceiveSend($oC);
$oRs8 = new DocReceiveSend($oC);
$oRs9 = new DocReceiveSend($oC);
$oRs10 = new DocReceiveSend($oC);
$oPt = new ProposeType($oC);
$oStmp=new DocSendToPsTmp($oC);
$oStmp2=new DocSendToPsTmp($oC);
$oAn=new announceDocType($oC);
$oAn=new announceDocType($oC);
$oPSd = new psdept($oC);
$MaxDocGroup=$oDP->SearchMaxDocGroup();
$oDws = new docwsign($oC);

doCheckAll();
?>

<?
    $oDoc->SearchByKey($DocID); $oDoc->GetRecord();
    $oDlc->SearchByKey($DLCID); $oDlc->GetRecord(); 
    $oRs->SearchByKey($DrsID); $oRs->GetRecord(); 
    $DlcdeptId=$oDlc->deptId
?>
<html>
<head>
<script language="javascript" src="../source/calendarDateInput.js"></script>
<script>window.onload=
function defaultDivDisplay(){  
    selectPtID=document.getElementById("PtID").value;   
    if(selectPtID==1 || selectPtID==2){
                for (var i=0; i<document.ff.length; i++)
                {
                    if(document.ff.elements[i].type == 'radio')
                    {   
                            document.ff.elements[i].style.display = "none";
                    }
                }    
    }
}
</script>
        <script language="javascript">
            var XMLHttpRequestObject=false;
            if(window.XMLHttpRequest){
                XMLHttpRequestObject=new XMLHttpRequest();
            }else if(window.ActiveXObject){
                XMLHttpRequestObject=new ActiveXObject("Microsoft.XMLHTTP");
            }
            function getData(data,divID){
                if(XMLHttpRequestObject){
                    var obj = document.getElementById(divID);
                    XMLHttpRequestObject.open("GET",data);
                    XMLHttpRequestObject.onreadystatechange=function(){
                        if(XMLHttpRequestObject.readyState==4 && 
                            XMLHttpRequestObject.status==200){
                            obj.innerHTML=XMLHttpRequestObject.responseText;
                        }
                    }
                    XMLHttpRequestObject.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
                    XMLHttpRequestObject.send(null);
                }
            }
        </script>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<link href="../source/style.css" rel="stylesheet" type="text/css">
</head>
<body>
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0" bordercolor="#DADADA" style="border-collapse:collapse">
                <tr bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_2"]; ?>" height=22>
                <td width="50%" align="left" colspan="2">&nbsp;ส่งด่วน&nbsp;[เพิ่มผู้รับหนังสือ]</td>
              </tr>
                <tr bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_17"]; ?>"><td bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_17"]; ?>">
                <font size="2" color="<?php echo $GLOBALS["COLOR_FONT_2"];?>">&nbsp;&nbsp;ชื่อ - นามสกุล ::</font><input name="name" type="text" value="<? echo $name?>" size="15">&nbsp;<input type="button" value="ค้นหา" onclick="getData('data03.php','div1')">
                <? if($name!=""){ ?>&nbsp;<input type=submit value="เลือก" onClick="return getPs('<? echo $mainPsselect?>');"><? ?>
                <div style="overflow: auto; height: 100px; width: 100%;" align="left"><span id="div1">
                <table width="94%" border="0" cellpadding="0" cellspacing="0" bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_17"]; ?>">
                <?
                        $oPS4->SearchByName($name);
                while($oPS4->GetRecord()){
                                if(($i%2) == 0)
                                          echo "<tr>";
                                    else
                                          echo "<tr bgcolor=\"".$GLOBALS['COLOR_BG_TABLE_8']."\">";
                ?>
                                <tr bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_17"]; ?>"><td>&nbsp;&nbsp;<input name="sendToPs[<? echo $oPS4->personId?>]" type="checkbox" value="<? echo $oPS4->personId?>" >
                                <? echo "&nbsp;&nbsp;".GetPrefix($oPS4->prefixId).$oPS4->fName."&nbsp;".$oPS4->lName?></td></tr>
                <? ?>
                </table></span>
                </div>
                </td>
                <td width="50%" bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_16"]; ?>" valign="top">
                <table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_17"]; ?>">
                <tr>
                <td height=22 bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_16"]; ?>" colspan="3">&nbsp;&nbsp;&nbsp;<strong>รายชื่อบุคลากรที่ต้องการส่งด่วน</strong></td></tr>    
                <?     $i=0;  $checkcountps=0;
                        $oStmp->SearchByDrsID($oRs->DrsID);
                        while($oStmp->GetRecord()){
                        $i++;
                        $oPS5->SearchByKey($oStmp->PsID); $oPS5->GetRecord(); 
                ?>
                <tr ><td width="83%" height=22 bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_16"]; ?>">&nbsp;&nbsp;<? echo "&nbsp;&nbsp;&nbsp;&nbsp;".GetPrefix($oPS5->prefixId).$oPS5->fName."&nbsp;".$oPS5->lName?></td>
                <td width="17%" bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_16"]; ?>" align="center"><img src="../picture/cancel.gif" alt="ลบ"  border="0"  style="cursor:pointer;" onClick="return deletePs('<? echo $oStmp->DtPsID?>','<? echo $mainPsselect?>');"></td>
                </tr>
                <? ?>
                <? if($i==0){   ?>
                <tr ><td  height=22 bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_16"]; ?>" >&nbsp;&nbsp;&nbsp;&nbsp;<strong>-</strong></td>
                <td  height=22 bgcolor="<?php echo $GLOBALS["COLOR_BG_TD_16"]; ?>" >&nbsp;</td>
                </tr>
                <? }   $checkcountps=$i?>
                </table>
                </td>
                </tr>
                </table></body></html>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0142 ]--