EVERY C99 / C99.PHP SHELL IS BACKDOORED (A.K.A. FREE SHELLS FOR EVERYONE!)

http://thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/

Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is the C99 shell is just plain backdoored. I’d apologize but the JavaScript tracking on their distributed shells is still pretty sketchy so I have a feeling they are aware of the backdoor.

For those who missed it, the C99 shell has a backdoor due to a vulnerability in the use of theextract() command.

The vulnerable lines:

This line allows you to overwrite any variable using an array:

Which is weirdly right over this code:

Which means if we change our URL to:
http://127.0.0.1/c99.php?c99shcook[login]=0

We bypass all of that nasty authentication!

Selection_099

This can also be done via POST or via cookies for easier access.

If you intended on using the C99 shell for anything I’d recommend against it, or if you do, feel free to share the link.

For more fun, here is a list of C99 shell Google dorks: http://www.hackingsec.in/2012/04/google-dorks-find-backdoor-c99-find.html

(For those looking for a better shell, check out Weevely)

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值