403Webshell
Server IP : 172.67.187.206  /  Your IP : 172.71.28.155
Web Server : Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
System : Windows NT WIN-ECQAAA40806 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
User : SYSTEM ( 0)
PHP Version : 5.6.30
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /Inetpub/www/myschool/benjama/modules/webtool/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /Inetpub/www/myschool/benjama/modules/webtool//qr.php
<?php    
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
//error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_WARNING);
error_reporting(E_ALL);
//print_r($_SESSION) ;

include dirname(__FILE__) .DIRECTORY_SEPARATOR.'phpqrcode' .DIRECTORY_SEPARATOR. "qrlib.php"; 
echo "<div style='padding : 10px;' >" ; //padding-left
echo " <h1> &nbsp gen QR Code</h1><hr/>";

    //set it to writable location, a place for temp generated PNG files
    $PNG_TEMP_DIR = dirname(__FILE__).DIRECTORY_SEPARATOR.'phpqrcode'.DIRECTORY_SEPARATOR.'temp'.DIRECTORY_SEPARATOR;
    //echo $PNG_TEMP_DIR  ;
    //html PNG location prefix
    $WEB_DIR = explode(dirname($_SERVER["SCRIPT_FILENAME"]) , dirname(__FILE__). DIRECTORY_SEPARATOR) ;
    $WEB_DIR_SEP = (isset($WEB_DIR[1]) && $WEB_DIR[1] == '/') ?  $WEB_DIR[1] : ""  ;
    //echo dirname($_SERVER["SCRIPT_FILENAME"]) .'<br>';
    //echo dirname(__FILE__) .'<br>';
    //echo $WEB_DIR_SEP .'<br>';
    $PNG_WEB_DIR = $WEB_DIR_SEP . 'phpqrcode' .DIRECTORY_SEPARATOR.'temp' . DIRECTORY_SEPARATOR;
    //echo $PNG_WEB_DIR ;
 
        //ofcourse we need rights to create temp dir
        if (!file_exists($PNG_TEMP_DIR))
            mkdir($PNG_TEMP_DIR);
    
    
    $filename = $PNG_TEMP_DIR.'test.png';

    $errorCorrectionLevel = 'H'; //Q H
    $matrixPointSize = 7;

    # รายการ ห้ามใช้
    $flist = array("ben" , "main", "salary");
    $sdata = '' ;
    $dbs = New DB();
    $dbs->connectdb(DB_NAME, DB_USERNAME, DB_PASSWORD);

    while($sdata == ''){
        $stmp = generateRandomString();
        if(in_array($stmp, $flist)) continue ;  # พบ รายการ ห้ามใช้ ไปทำใหม่
        if($dbs->num_rows('web_surl','shortURL',"shortURL='" . $stmp . "'") ==0) $sdata = $stmp ;
        //$sdata = $stmp ;
    }
    //print_r($dbs);

    $data = isset($_REQUEST['data'])? htmlspecialchars($_REQUEST['data']) : '' ;
    $sdata = isset($_REQUEST['sdata'])? htmlspecialchars($_REQUEST['sdata']) : $sdata ;
    $user = isset($_SESSION["user_user"]) ? $_SESSION["user_user"] : "" ;
    $imageString = '' ;
    if (isset($_REQUEST['data'])) { 
    
        //it's very important!
        if (trim($_REQUEST['data']) == '')             die('data cannot be empty! <a href="?">back</a>');
        //if (trim($_REQUEST['data']) == '')    $data = "https://ben.ac.th/main" ;  

        // user data
        $filename = $PNG_TEMP_DIR.'test'.md5($_REQUEST['data'].'|'.$errorCorrectionLevel.'|'.$matrixPointSize).'.png';
        //QRcode::png($data, $filename, $errorCorrectionLevel, $matrixPointSize, 2);   
        ob_start(); 
        //QRcode::png($data, null , $errorCorrectionLevel, $matrixPointSize, 2);   
        QRcode::png($data, null , $errorCorrectionLevel , $matrixPointSize , 2, true ); 
        //$imageString = base64_encode( ob_get_contents() );
        $imageString = ( ob_get_contents() );
        ob_end_clean();

        $QR = imagecreatefromstring($imageString);
        $logo = imagecreatefrompng(dirname(__FILE__). DIRECTORY_SEPARATOR . 'ben.png');

        /**
         *  Fix for the transparent background
         */
        imagecolortransparent($logo , imagecolorallocatealpha($logo , 0, 0, 0, 127));
        imagealphablending($logo , false);
        imagesavealpha($logo , true);

        $QR_width = imagesx($QR);
        $QR_height = imagesy($QR);

        $logo_width = imagesx($logo);
        $logo_height = imagesy($logo);

        // Scale logo to fit in the QR Code
        $logo_qr_width = (int) $QR_width/6;
        $scale = $logo_width/$logo_qr_width;
        $logo_qr_height = (int) $logo_height/$scale;

        $QRw = (int) ($QR_width - $logo_qr_width) /2 ;
        $QRh = (int) ($QR_height - $logo_qr_height) /2 ;

        imagecopyresampled($QR, $logo, $QRw, $QRh, 0, 0, $logo_qr_width, $logo_qr_height, $logo_width, $logo_height);

        // Save QR code again, but with logo on it
        ob_start(); 
        $img_png  = imagepng($QR);
        echo $img_png ;
        $imageS = ob_get_contents() ;
        echo $imageS ;
        $imageString = base64_encode( $imageS );
        ob_end_clean();

        $imageString = "data:image/png;base64," . $imageString ;
        //echo $imageString ;
        
        //$res = $db->select_query('SELECT field FROM table WHERE where'); 
        //$row = $db->fetch($res);
        $sql = "SELECT * FROM web_surl WHERE longURL='" . $data . "'" ;
    	$res = $dbs->select_query($sql); 
        if($row = $dbs->fetch($res)){
            $sdata = $row['shortURL'] ;
            $imageString = $row['qrcode'] ;
        }
        else{ 
            $adata = array("shortURL"=> $sdata , "longURL" => $data ,"qrcode" => '' , "userID" => $user) ;
            $dbs->update_add("web_surl", $adata , "shortURL='" . $sdata . "'" ); 

            if(! file_exists("data/surl")) mkdir(data/surl) ;
            $myfile = fopen("data/surl/" . $sdata . ".png", "w") or die("Unable to open file!");
            fwrite($myfile, $img_png);
            fclose($myfile);
        }
    } 
    else if (isset($_REQUEST['del']) && $_REQUEST['del'] == 1 && $_REQUEST['surl'] != "") {
        $dbs->del("web_surl", " shortURL='" . $_REQUEST['surl'] ."' ");
        echo "<script> window.location.href='index.php?name=webtool&file=qr' ; </script>" ;
    }

    $imageString = isset($_REQUEST['qr']) && $_REQUEST['qr'] != '' ? ($_REQUEST['qr']) : $imageString ;
    //echo $imageString ;
       

    echo '<form action="" method="post">';
    echo 'URL :&nbsp;<input name="data" id="lurl" size=120 value="'.$data .'" placeholder="https://ben.ac.th/main" /><br>' ;
    echo 'short URL :&nbsp; <b>ben.ac.th/</b><input name="sdata" size=20 id=sdata value="'.$sdata .'" onkeyup="change(this)" />' ;
    echo '<input type=hidden name=qr value="' . $imageString . '" >' ;
    echo '<input type="submit" id="GENERATE" value="GENERATE">';
    echo '</form>' ;
    echo "<div id=status></div>" ;

    //echo $WEB_DIR_SEP ;
    //print_r($_SESSION) ;
    //print_r($_REQUEST);
        
    if (isset($_REQUEST['data'])) { 
        //display generated file
        //echo '<img src="'.$PNG_WEB_DIR.basename($filename).'" />';  
        echo '<img width=180 src="' . $imageString . '" >' ;
        echo '<br> &nbsp &nbsp <a href=https://ben.ac.th/' . $sdata . ' target=”_blank” id=urltest>ben.ac.th/' . $sdata .'</a><hr/>';
    }
    
    $res = $dbs->select_query("SELECT * FROM web_surl  WHERE userID='". $_SESSION['user_user'] ."' ");
     echo "<br><br><br><table border=1 cellspacing=0>" ; 
     $cnt =1 ;
     while ($row = $dbs->fetch($res)){
        echo "<tr>" ;
        echo "<td>$cnt</td>" ; 
        echo "<td><a href='?name=webtool&file=qr&del=1&surl=$row[shortURL]' ><img src='images/delete.gif'></a></td>" ;
        echo "<td>" . $row['shortURL'] . "</td>" ;
        echo "<td><a href='" . $row['longURL'] . "' target=_blank> " . $row['longURL'] . " </a></td>" ;
        echo "</tr>\n" ;
        $cnt++ ;
    }
    echo "</table>" ;

    // benchmark
    //QRtools::timeBenchmark(); 

    echo "</div>" ;
    // end

    function generateRandomString($length = 4) {
        $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
        $characters = '0123456789abcdefghijklmnopqrstuvwxyz';
        $charactersLength = strlen($characters);
        $randomString = '';
        for ($i = 0; $i < $length; $i++) {
            $randomString .= $characters[rand(0, $charactersLength - 1)];
        }
        return $randomString;
    }

    ?>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>

<script>
        var lurl = document.getElementById("lurl")
        var sdat = document.getElementById("sdata");
        var butt = document.getElementById("GENERATE");
        var stat = document.getElementById("status");

    function set_enable(s){
        sdat.style.backgroundColor = "white";
        butt.disabled = false ;
        stat.innerHTML = s ;
        console.log(s) ;
    }
    function set_disable(s){
        sdat.style.backgroundColor = "red";
        butt.disabled = true ;  
        stat.innerHTML = s ;  
        console.log(s) ;    
    }
    function set_miage(d){ 
        if(sdat.value == "") return ;
        var url = window.location.href.split("index.php?")[0];
        var imgurl = url + "/data/surl/" + sdat.value + ".png" ;
        var sta_txt  = "<br><img width=180 src='" + imgurl + "' ><br>";
        sta_txt += "<a href='http://ben.ac.th/" + sdat.value + "' target='_blank' >"  ; 
        sta_txt += "http://ben.ac.th/" + sdat.value  + "</a><br>" ;
        stat.innerHTML = sta_txt ;
    }
    function change(el){
        var v = el.value ;
        var u = '<?php echo  $user ; ?>' ;

        if(u.length <= 0 &&  v.length < 4 ) {
            set_disable("You not log in ?...  ถ้าจะใช้น้อยกว่า 4 ตัวอักษร ต้องเข้าสู่ระบบก่อน");
            return 0 ;
        }
        //var url = "https://myoffice.ben.ac.th/modules/webtool/surlapi.php?surl=" + v ;
        var url = window.location.href.split("index.php?")[0];
            url += "/modules/webtool/surlapi.php?surl=" + v ;
        $.get( url , function(data, status){
            //alert("Data: " + data + "\nStatus: " + status);

            if(data.trim() == "yes"){
                set_enable('สามารถใช้ได้');
            }
            else{
                set_disable("Not able ซ้ำที่มีอยู่ในระบบ");
                set_miage(data);
                console.log( url) ;
            }
        });
    }

</script>

Youez - 2016 - github.com/yon3zu
LinuXploit